Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27831
HistoryMar 20, 2012 - 12:00 a.m.

Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability

2012-03-2000:00:00
vulners.com
32
JSON

Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll
sprintf Remote Buffer Overflow Vulnerability

Tested against: Microsoft Windows Vista SP2
Microsoft Windows XP SP3
Microsoft Windows 2003 R2 SP2
Internet Explorer 7/8/9

download url of a test version:
http://search.dell.com/results.aspx?c=us&l=en&s=gen&cat=sup&k=Dell+SX2210+monitor&rpp=12&p=1&subcat=dyd&rf=all&nk=f&sort=K&ira=False&~srd=False&ipsys=False&advsrch=False&~ck=anav

file tested: Dell_SX2210-Monitor_Webcam SW RC1.1_ R230103.exe

This package contains the Dell Webcam Central software
developed by Creative Technologies for Dell.

info:
http://dell-webcam-central.software.informer.com/
http://live-cam-avatar-creator.software.informer.com/
http://www.google.com/search?channel=s&hl=en&biw=1024&bih=581&q=13149882-F480-4F6B-8C6A-0764F75B99ED
http://www.google.com/search?sclient=psy-ab&hl=en&biw=1024&bih=581&source=hp&q=crazytalk4.ocx&btnG=Search
http://www.google.com/search?sclient=psy-ab&hl=en&biw=1024&bih=581&source=hp&q=CrazyTalk4Native.dll&btnG=Search
http://dell-webcam-central.software.informer.com/users/
http://live-cam-avatar-creator.software.informer.com/users/

I think this is a very common ActiveX, probably bundled with Dell Notebooks.

Background:
The mentioned software carries a third party ActiveX Control
with the following settings.

Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx
ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1
CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED}
Safe for Scripting (Registry): True
Safe for Initialization (Registry): True

This control is marked safe for scripting and safe for initialization,
then Internet Explorer will allow scripting of this control from remote.

Vulnerability:

The 'BackImage' ,'ScriptName', 'ModelName' and 'SRC' properties
can be used to trigger a buffer overflow condition.
The crazytalk4.ocx ActiveX control will load the close CrazyTalk4Native.dll
library and, while constructing a local file path, will call sprintf()
with an insufficient size.

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0012EE24 023D4FAB msvcrt.sprintf CrazyTal.023D4FA5
0012EE28 0012F180 s = 0012F180
0012EE2C 023F431C format = "%s%s%s"
0012EE30 042A2D6C <%s> = "C:\DOCUME~1\Admin\LOCALS~1\Temp\RLTMP\~RW463\"
0012EE34 0012EF5C <%s> = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
0012EE38 0012EE58 <%s> = ""
0012F164 023D601D CrazyTal.023D4F20

code, CrazyTalk4Native.dll :
.
023D4F80 85C0 test eax,eax
023D4F82 74 38 je short CrazyTal.023D4FBC
023D4F84 8B9C24 2C030000 mov ebx,dword ptr ss:[esp+32C]
023D4F8B 8D4424 1C lea eax,dword ptr ss:[esp+1C]
023D4F8F 8D8C24 20010000 lea ecx,dword ptr ss:[esp+120]
023D4F96 50 push eax
023D4F97 81C6 443B0000 add esi,3B44
023D4F9D 51 push ecx
023D4F9E 56 push esi
023D4F9F 68 1C433F02 push CrazyTal.023F431C ; ASCII "%s%s%s"
023D4FA4 53 push ebx
023D4FA5 FF15 E4F33E02 call dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
.

As attachment, proof of concept code which overwrites EIP and SEH.

Note:

0:008> lm -vm CrazyTalk4Native
start end module name
021c0000 0220b000 CrazyTalk4Native (deferred)
Image path: C:\PROGRA~1\COMMON~1\REALLU~1\CTPLAY~1\CrazyTalk4Native.dll
Image name: CrazyTalk4Native.dll
Timestamp: Thu May 17 12:13:42 2007 (464C2AD6)
CheckSum: 00048AB2
ImageSize: 0004B000
File version: 4.5.815.1
Product version: 4.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: C3D
ProductName: CrazyTalk4 ActiveX Control Module
InternalName: CrazyTalk4
OriginalFilename: CrazyTalk4.OCX
ProductVersion: 4, 0, 0, 1
FileVersion: 4, 5, 815, 1
PrivateBuild: 4, 5, 815, 1
SpecialBuild: 4, 5, 815, 1
FileDescription: CrazyTalk4 Native Control Module
LegalCopyright: Copyright (C) 2005
LegalTrademarks: Copyright (C) 2005
Comments: Copyright (C) 2005

proof of concept: http://retrogod.altervista.org/9sg_dell_poc_nodep.html

JSON