Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24117
HistoryJun 23, 2010 - 12:00 a.m.

NSOADV-2010-008: AnNoText Third-Party ActiveX Control Buffer Overflow

2010-06-2300:00:00
vulners.com
17
JSON

-------------------------- NSOADV-2010-008 ---------------------------

    AnNoText Third-Party ActiveX Control Buffer Overflow

                           111101111
                    11111 00110 00110001111
               111111 01 01 1 11111011111111
            11111  0 11 01 0 11 1 1  111011001
         11111111101 1 11 0110111  1    1111101111
       1001  0 1 10 11 0 10 11 1111111  1 111 111001
     111111111 0 10 1111 0 11 11 111111111 1 1101 10
    00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
   10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
   0111111110 0110 1110 1 0 11101111111111111011 11100  00
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1  1 111 1   10011 101111111111011111111 0   1100

111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111

Title: AnNoText Third-Party ActiveX Control Buffer
Overflow
Severity: Critical
Advisory ID: NSOADV-2010-008
Found Date: 18.03.2010
Date Reported: 25.03.2010
Release Date: 11.06.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-008.txt
Vendor: AnNoText (http://www.annotext.de/)
Affected Products: ADVOAkte 17 Build 4.8.0.116 Patchlevel 034
Affected Component: KEYHELPLib ActiveX Control V.1.1.2200.0
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: unknown (No response from vendor)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy

Background:

AnNoText is a German Company, which makes Software for lawyers.

Description:

During the installation of the ADVOAkte an ActiveX Control will be
installed (keyhelp.ocx), in which multiple functions are vulnerable to a
buffer oveflow bugs, which could lead to a remote code execution.

Registered Classes:
±-----------------

Name: KeyPopup Class
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {1E57C6C4-B069-11D3-8D43-00104B138C8C}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: False

Name: KeyScript Class
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {45E66957-2932-432A-A156-31503DF0A681}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: False

Name: KeyHelp Embedded Window
Vendor: KeyWorks Software
Type: ActiveX-Control
Version: 1.1.2200.0
GUID: {B7ECFD41-BE62-11D2-B9A8-00104B138C8C}
File: keyhelp.ocx
Folder: C:\WINDOWS\system32\
Safe for Script: True
Safe for Init: True

Proof of Concept :

http://sotiriu.de/software/NSOPOC-2010-008.zip

(coming soon)

Solution:

Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:

{1E57C6C4-B069-11D3-8D43-00104B138C8C}
{45E66957-2932-432A-A156-31503DF0A681}
{B7ECFD41-BE62-11D2-B9A8-00104B138C8C}

Save the following text as a .REG file and imported to set the kill bit
for this controls:

±-------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{45E66957-2932-432A-A156-31503DF0A681}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{B7ECFD41-BE62-11D2-B9A8-00104B138C8C}]
"Compatibility Flags"=dword:00000400
±-------------------------------------

More information about how to set the kill bit is available in Microsoft
Support Document 240797 (http://support.microsoft.com/kb/240797).

Disclosure Timeline (YYYY/MM/DD):

2010.03.18: Vulnerability found.
2010.03.25: Initial contact by support email address.
2010.03.29: Second contact by support, info and vertrieb (sales) email
address. Sent the Notification and Disclosure Policy and
the release date (2010.04.08).
2010.03.29: Initial Vendor response.
2010.03.30: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.04.08) to Vendor
2010.04.08: Ask for a status update, because the planned release date is
2010.04.08.
[-] No Response
2010.04.12: Set Release Date to 2010.04.15.
2010.04.08: Ask for a status update, because the planned release date is
2010.04.15.
[-] No Response
2010.04.15: Set Release Date to 2010.04.22.
2010.04.16: Vendor informed me that the vulnerability is a third party
issue and AnNoText contacted them.
2010.05.20: Asked if AnNoText already got a fixed version of the third
party component.
[-] No Response
2010.06.08: Informed AnNoText that the final release date is now the
2010.06.10
[-] No Response
2010.06.11: Release of this Advisory on my website
2010.06.19: Release of this Advisory on full-disc and Bugtraq

JSON