=========================================================================
SiOL komunikator IM ActiveX stack overflow condition
=========================================================================
Release date: 30.7.2008
Severity: Moderately critical
Impact: Stack overflow
Remote: Yes
Status: Unpatched
Software: SiOL Komunikator v1.3 (SLO_71130)
Tested on: Microsoft Windows XP SP3 / IE6 SP3
Developer: http://www.siol.net/
http://www.eyeball.com/
Disclosed by: Edi Strosar
Vendor's description of affected application:
=============================================
"SiOL komunikator je programska oprema za neposredno sporočanje, ki podpira celovito komuniciranje s tekstovnimi sporočili, izmenjavo datotek ter možnostjo glasovnih in video klicev, brez telefonskega aparata in s katerekoli lokacije, kjer je omogočena povezava v Internet."
English translation (sort of):
SiOL komunikator is an instant messaging (IM) application based on Eyeball Communicator offered by SiOL (Slovenia On-Line) ISP.
Download link:
http://www.siol.net/spletne_storitve/siol_komunikator.aspx
ActiveX control overview:
=========================
Developer: Eyeball Networks, Inc.
Version: 5.0.907.1
Component: CoVideoWindow.ocx
GUID: {CA06EE71-7348-44C4-9540-AAF0E6BD1515}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
KillBitSet: False
Description:
============
SiOL komunikator's ActiveX component CoVideoWindow.ocx is susceptible to stack overflow condition in BgColor() method which may lead to remote code execution. The vulnerability could be exploited if user with SiOL komunikator installed visits a specialy crafted web page.
Proof of concept:
=================
Following testcase will crash Internet Explorer:
Note: close all Internet Explorer instances before executing PoC!
Tested with SiOL komunikator v1.3 (SLO_71130). Other versions may be affected.
Exception overview:
===================
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=00000774: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000003: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=000428F4: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EDX=000FB770: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
ESP=0013D8EC: C6 9A 80 7C 0D B9 E8 01-00 00 00 00 20 39 EC 01
EBP=0013D904: 44 D9 13 00 1C 9F E8 01-1C D9 13 00 24 00 39 02
ESI=000FB772: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EDI=02390024: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
EIP=01E93635: 85 01 3D 00 10 00 00 73-EC 2B C8 8B C4 85 01 8B
--> TEST [ECX],EAX
----------------------------------------------------------------
Mitigation:
===========
Set the kill bit (http://support.microsoft.com/kb/240797).
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA06EE71-7348-44c4-9540-AAF0E6BD1515}]
"Compatibility Flags"=dword:00000400
Timeline:
=========
12.07.2008 - initial developer notification
- no response
20.07.2008 - additional developer notification
- no response
30.07.2008 - public disclosure
Contact:
========
edi [dot] strosar [at] gmail [dot] com
Disclaimer:
===========
The content of this report is purely informational and meant for educational purposes only. Author shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
=========================================================================