SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Cisco WebEx Meeting Manager Vendors:   WebEx
Webex Meeting Manager Buffer Overflow in ActiveX Control Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020641
SecurityTracker URL:  http://securitytracker.com/id/1020641
CVE Reference:   CVE-2008-2737   (Links to External Site)
Updated:  Aug 15 2008
Original Entry Date:  Aug 7 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): control version 20.2008.2601.4928
Description:   A vulnerability was reported in Webex Meeting Manager. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user, will invoke an ActiveX control and trigger a buffer overflow in the 'atucfobj' module to execute arbitrary code on the target system. The code will run with the privileges of the target user.

The CLSID of the vulnerable control is: 32E26FD9-F435-4A20-A561-35D4B987CFDC

The vendor was notified on June 20, 2008.

Elazar Broad reported this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version (20.2008.2606.4919) of the affected control. The fix will be downloaded when the user joins a meeting.

The vendor's advisory is available at:

http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

Vendor URL:  www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Webex atucfobj Module ActiveX Control Buffer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Who:
Webex
http://www.webex.com/

What:
Webex Meeting Manager
http://support.webex.com/support/downloads.html

How:
The Webex Meeting Manager utilizes several ActiveX controls, one of
which is vulnerable to a stack based buffer overflow. The atucfobj
Module contains a single method called NewObject() who's only
parameter is vulnerable to this issue.

This issue has been confirmed in version 20.2008.2601.4928, prior
versions are believed to vulnerable as well.

atucfobj.dll version 20.2008.2601.4928
{32E26FD9-F435-4A20-A561-35D4B987CFDC}

Fix:
The vendor has released version 20.2008.2606.4919 of this control,
which fixes this issue. The control should be updated when the user
joins a meeting.

Workaround:
Set the killbit for the affected control. See
http://support.microsoft.com/kb/240797

Credit:
When I reported this issue to the vendor, they had stated that they
were aware of it, but would not say whether it was the result of an
internal audit or an independent researcher.

Timeline:
06/20/2008 -> Issue reported to the vendor
06/21/2008 <- Vendor responds asking for further details
06/22/2008 -> Details sent with PoC
06/25/2008 <- Vendor responds stating that they are aware of this
issue
08/06/2008 - Disclosure

Elazar

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu
zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1
oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm
BpGN3W8=
=tQOJ
-----END PGP SIGNATURE-----

--
Hotel pics, info and virtual tours.  Click here to book a hotel online.
http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC