====================================================================== Secunia Research 08/12/2006 - AOL CDDBControl ActiveX Control "SetClientInfo()" Buffer Overflow - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 Vendor Statement.....................................................8 References...........................................................9 About Secunia.......................................................10 Verification........................................................11 ====================================================================== 1) Affected Software - America Online 7.0 revision 4114.563 - AOL 8.0 revision 4129.230 - AOL 9.0 Security Edition revision 4156.910 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Highly critical Impact: System compromise Where: Remote ====================================================================== 3) Vendor's Description of Software Product Link: http://downloads.channel.aol.com/windowsproducts ====================================================================== 4) Description of Vulnerability Secunia Research has discovered a vulnerability in AOL, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the "CDDBControlAOL.CDDBAOLControl" ActiveX control (cddbcontrol.dll) when processing "ClientId" arguments passed to the "SetClientInfo()" method. This can be exploited to cause a stack-based buffer overflow by passing an overly long string (more than 256 bytes). Successful exploitation allows execution of arbitrary code when a user visits a malicious website with Internet Explorer. In order to exploit the vulnerability, a certain registry value has to be set to "1111". This is not set by default, but can be set up automatically by first instantiating the bundled CerberusCDPlayer ActiveX control. ====================================================================== 5) Solution Updates are automatically available for AOL 9.x users when logging into the AOL service. ====================================================================== 6) Time Table 23/11/2006 - Vendor notified. 24/11/2006 - Provided additional information to the vendor. 24/11/2006 - Vendor response. 08/12/2006 - Public disclosure. ====================================================================== 7) Credits Discovered by Carsten Eiram, Secunia Research. ====================================================================== 8) Vendor Statement Overview AOL has recently been made aware of a security vulnerability present in the AOL CDDB ActiveX control. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on a vulnerable system. Affected Products and Applications All AOL software versions are affected by this issue. Solutions 1. Users of AOL 9.0 or AOL 9.0 Security Edition are recommended to log in to the AOL service and a fix will be seamlessly applied to their system. 2. Users using versions of AOL that are older than 9.0 are strongly recommended to upgrade to the latest version of AOL 9.0 Security Edition. Acknowledgements AOL would like to thank Secunia for their efforts in identifying and responsibly reporting this issue. ====================================================================== 9) References The Common Vulnerabilities and Exposures (CVE) project has not currently assigned a CVE identifier for the security issue. ====================================================================== 10) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 11) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-69/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/