Title: AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities Vendor: AVTECH Software, Inc. Product Web Page: http://www.avtech.com Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor multi-OS computers and network issues throughout a department or an entire enterprise. Once issues or events occur, AVTECH Software products use today's most advanced alerting technologies to communicate critical and important status information to remote system managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more. Automatic corrective actions can also be taken to immediately resolve issues, run scripts, and shutdown/restart servers or applications. AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment specifically designed to monitor today's advanced computer rooms and data centers. Our Room Alert and TemPageR products are used to monitor environmental conditions in many of the world's most secure data centers and are installed in almost every branch of the US government. Description: AVTECH Software's AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities such as buffer overflow, integer overflow and denial of service (IE crash). This issue is triggered when an attacker convinces a victim user to visit a malicious website. Remote attackers may exploit this issue to execute arbitrary machine code in the context of the affected application, facilitating the remote compromise of affected computers. Failed exploit attempts likely result in browser crashes. Windbg: ====================================================================================================== (265c.26b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00fe46f0 ebx=00000000 ecx=baadf00d edx=0000001f esi=baadf00d edi=0013f030 eip=10019003 esp=0013ed2c ebp=0013eef4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** WARNING: Unable to verify checksum for C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for AVC_AX_724_VIEWER.dll - AVC_AX_724_VIEWER+0x19003: 10019003 837e3c65 cmp dword ptr [esi+3Ch],65h ds:0023:baadf049=???????? ====================================================================================================== Version Tested: 1.0.9.4 Platform Used: Microsoft Windows XP Professional Service Pack 3 (English) Microsoft Internet Explorer 8.0.6001.18702 Vulnerability Discovered By: Gjoko 'LiquidWorm' Krstic - liquidworm gmail com Macedonian Information Security Research And Development Laboratory Zero Science Lab - http://www.zeroscience.mk Date: 18.04.2010 Advisory ID: ZSL-2010-4934 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php ######################################## Internal Details ############################################ Vulnerabity type: - Buffer Overflow - Integer Overflow - Denial Of Service Vulnerable library: AVC781Viewer Vulnerable class: CV781Object Vulnerable members: - SendCommand - Login - Snapshot - _DownloadPBOpen - _DownloadPBOpen2 - _DownloadPBClose - _DownloadPBControl File location: C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll ProgID: AVC781Viewer.CV781Object CLSID: 8214B72E-B0CD-466E-A44D-1D54D926038D Version: 1.0.9.4 RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPersist Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data CompanyName AVTECH FileDescription SOFTWARE FileVersion 1.0.9.4 InternalName AVC781Viewer.dll LegalCopyright AVTECH. All rights reserved. OriginalFileName AVC781Viewer.dll ProductName SOFTWARE ProductVersion 1.0.9.4 Exception codes (AVC_AX_724_VIEWER.dll): ====================================================================================================== ACCESS_VIOLATION Disasm: 10019003 CMP DWORD PTR [ESI+3C],65 ===== ACCESS_VIOLATION Disasm: 1001906F MOV EAX,[ECX+48] ===== ACCESS_VIOLATION Disasm: 10006C23 MOV [EAX],CL ===== ACCESS_VIOLATION Disasm: 10007163 MOV [EAX],CL ===== ACCESS_VIOLATION Disasm: 10008437 MOV DWORD PTR [EAX+B58],1 ===== ACCESS_VIOLATION Disasm: 10001DDB MOV ECX,[EAX+31C] ===== ACCESS_VIOLATION Disasm: 10001E34 MOV EAX,[EAX+31C] ===== ACCESS_VIOLATION Disasm: 10008867 MOV DWORD PTR [EAX+B58],1 ===== Two random exception details: ====================================================================================================== ====================================================================================================== Exception Code: ACCESS_VIOLATION Disasm: 10019003 CMP DWORD PTR [ESI+3C],65 (AVC_AX_724_VIEWER.dll) Seh Chain: -------------------------------------------------- 1 10023363 AVC_AX_724_VIEWER.dll 2 FC2950 VBSCRIPT.dll 3 7C839AC0 KERNEL32.dll Called From Returns To -------------------------------------------------- AVC_AX_724_VIEWER.10019003 VBSCRIPT.F73E27 VBSCRIPT.F73E27 VBSCRIPT.F73397 VBSCRIPT.F73397 VBSCRIPT.F73D88 VBSCRIPT.F73D88 VBSCRIPT.F7409F VBSCRIPT.F7409F VBSCRIPT.F763EE VBSCRIPT.F763EE VBSCRIPT.F76373 VBSCRIPT.F76373 VBSCRIPT.F76BA5 VBSCRIPT.F76BA5 VBSCRIPT.F76D9D VBSCRIPT.F76D9D VBSCRIPT.F75103 VBSCRIPT.F75103 SCROBJ.5CE44396 SCROBJ.5CE44396 SCROBJ.5CE4480B SCROBJ.5CE4480B SCROBJ.5CE446A6 SCROBJ.5CE446A6 SCROBJ.5CE44643 SCROBJ.5CE44643 SCROBJ.5CE44608 SCROBJ.5CE44608 1013C93 1013C93 1006B0C 1006B0C 100332C 100332C 1003105 1003105 1003076 1003076 1002F16 1002F16 KERNEL32.7C817067 Registers: -------------------------------------------------- EIP 10019003 -> 10044530 -> Asc: 0E0E EAX 00FE4658 -> 10044530 -> Asc: 0E0E EBX 00000000 ECX BAADF00D EDX 0000001F EDI 0013F030 -> 0047DE68 ESI BAADF00D EBP 0013EEF4 -> 0013EF30 ESP 0013ED2C -> 00000000 Block Disassembly: -------------------------------------------------- 10018FFC INT3 10018FFD INT3 10018FFE INT3 10018FFF INT3 10019000 PUSH ESI 10019001 MOV ESI,ECX 10019003 CMP DWORD PTR [ESI+3C],65 <--- CRASH 10019007 JNZ SHORT 10019030 10019009 MOV ECX,[ESI+10] 1001900C TEST ECX,ECX 1001900E JE SHORT 10019017 10019010 PUSH 66 10019012 CALL 1001B630 10019017 MOV EAX,[ESI+48] 1001901A MOV ECX,[EAX] ArgDump: -------------------------------------------------- EBP+8 0047AAF0 -> 00000005 EBP+12 00FE4658 -> 10044530 -> Asc: 0E0E EBP+16 00000001 EBP+20 00F71A2C -> 00000000 EBP+24 00000409 EBP+28 00000001 Stack Dump: -------------------------------------------------- 13ED2C 00 00 00 00 20 F4 00 10 30 F0 13 00 00 00 00 00 [................] 13ED3C F4 EE 13 00 00 00 00 00 BB 01 91 7C 08 00 00 00 [................] 13ED4C 40 00 00 00 30 00 00 00 08 D8 47 00 07 00 00 00 [..........G.....] 13ED5C 10 00 00 00 00 00 00 00 00 00 00 00 FA 00 00 00 [................] 13ED6C F8 D5 47 00 00 00 00 00 00 00 00 00 68 01 47 00 [..G.........h.G.] ====================================================================================================== ====================================================================================================== Exception Code: ACCESS_VIOLATION Disasm: 10006C23 MOV [EAX],CL (AVC_AX_724_VIEWER.dll) Seh Chain: -------------------------------------------------- 1 10022F68 AVC_AX_724_VIEWER.dll 2 FC2950 VBSCRIPT.dll 3 7C839AC0 KERNEL32.dll Called From Returns To -------------------------------------------------- AVC_AX_724_VIEWER.10006C23 AVC_AX_724_VIEWER.10044508 AVC_AX_724_VIEWER.10044508 AVC_AX_724_VIEWER.100097B0 AVC_AX_724_VIEWER.100097B0 8244C8B Registers: -------------------------------------------------- EIP 10006C23 EAX BAADF06D EBX 00180724 -> Uni: defaultV ECX 0013EE41 -> 24001827 -> Uni: '$'$ EDX 00182801 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EDI 001827BC -> Uni: defaultV ESI 00180724 -> Uni: defaultV EBP 00FE4658 -> 10044530 -> Asc: 0E0E ESP 0013EE40 -> 001827BC Block Disassembly: -------------------------------------------------- 10006C12 MOV EAX,[EBP+144] 10006C18 ADD EAX,60 10006C1B JMP SHORT 10006C20 10006C1D LEA ECX,[ECX] 10006C20 MOV CL,[EDX] 10006C22 INC EDX 10006C23 MOV [EAX],CL <--- CRASH 10006C25 INC EAX 10006C26 TEST CL,CL 10006C28 JNZ SHORT 10006C20 10006C2A MOV EAX,[ESP+20] 10006C2E ADD EAX,-10 10006C31 LEA ECX,[EAX+C] 10006C34 OR EDX,FFFFFFFF 10006C37 LOCK XADD [ECX],EDX ArgDump: -------------------------------------------------- EBP+8 00FE4658 -> 10044530 -> Asc: 0E0E EBP+12 001862FC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 0018AB44 -> Uni: defaultV EBP+20 00180A54 -> Uni: defaultV EBP+24 00000001 EBP+28 00000001 Stack Dump: -------------------------------------------------- 13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00 [............t...] 13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10 [....h...........] 13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00 [....t...........] 13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00 [\.............G.] 13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77 [XF..........DJ.w] ====================================================================================================== ====================================================================================================== Proof Of Concept: ###################################################################################################### ######################################################################################################