NGSSoftware Insight Security Research Advisory Name: Multiple Vulnerabilities in the AtHoc Toolbar For MSIE Systems Affected: AtHoc Toolbar for MSIE Severity: High Vendor URL: http://www.athoc.com/site/products/toolbar.asp Author: Mark Litchfield [ mark@ngssoftware.com ] John Heasman [ john@ngssoftware.com ] Date of Public Advisory: 19th January 2004 Advisory number: #NISR19012005c Advisory URL: http://www.ngssoftware.com/advisories/athoc-01full.txt Reference: http://www.ngssoftware.com/advisories/athoc-01.txt Description *********** Multiple vulnerabilities have been discovered in the AtHoc toolbar which can allow remote code execution through Internet Explorer when browsing to a specially crafted webpage. AtHoc sell a development suite which can allow a vendor to use their technology to create custom toolbars for their own clients. Among the most renound of AtHoc's toolbar clients are: eBay Accenture ThomasRegister ThomasRegional Juniper Networks WiredNews CarFax Agile PLM Details ******* The AtHoc toolbar comes with ActiveX component which exports a number of methods relating to the specifics of toolbar, such a skin settings, whether a debug log is to be kept, and numerous other options relating to customisation. When attempting to provide an overly long 'skin name' to the SetSkin() method exported by the control, a stack based buffer overflows, overwriting a saved return address on the stack and eventually allowing arbitrary code to be executed. When the AtHoc toolbar is closed and re-started, a debug log is written containing various pieces of information relating to the success of certain operations which have been performed on the AtHoc toolbar during the users browsing session. One of the operations which is logged, is the setting of a 'base url', a value which is used by the toolbar when constructing absolute urls for certain web related functionality. The SetBaseURL() function is used to set the base url. If the url provided to the function is not valid, the url is logged by the toolbar in the debug log, which is stored in the root of the drive on which the toolbar is installed. The code which writes the invalid base url to the debug log is vulnerable to a format string attack which can overwrite arbitrary dwords in memory with arbitrary values. It is possible to overwrite saved return addresses, function pointers, string pointers and more to easily gain control over the execution flow of the process, thus allowing arbitrary code execution. The vulnerable component is marked safe for scripting by default, thereby allowing the dangerous functionality to be accessed with little user interaction. Fix Information *************** AtHoc has fixed these vulnerabilities and has advised the various vendors to update their toolbars to use the latest components. These fixed toolbars can be downloaded from the vendors respective websites. About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com