Full Disclosure mailing list archives
KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability
From: BPS <l1nefeed () gmail com>
Date: Tue, 22 May 2007 20:16:54 +0900
Title : KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability Version : AxKSignSWAT.dll (KSignSWAT ActiveX Control) ver. 2.0.3.3 Discoverer : KIM, KEE HONG (l1nefeed () gmail com) Critical : High Critical Test system : Windows XP SP2 Korean (All patched) : Windows XP SP2 English (All patched) Vendor : KSign (www.ksign.com) Solution : patched. Note : 2007/05/14 notified KISA (Korean Information Security Agency) 2007/05/15 Confirmed Vulnerability 2007/05/21 Patched by Vendor (maybe...) 2007/05/22 Disclosure. Description: The KSign's KSignSWAT ActiveX is common certification solution if people use Internet banking, Goverment Sites and Stock Trading. The KsignSWAT ActiveX has multiple buffer overflow vulnerability. if uses HTML file which was crafted by this vulnerability, then you'll get system admin's privilege. KSignSWAT ActiveX has 5 vulnerable function. -SWAT_Init(), SWAT_InitEx(), SWAT_InitEX2(), SWAT_InitEx3(), SWAT_Login(). This functions requests several arguments (over the 2 arguments) and this functions didn't check argument buffer size. It's a very simple buffer overflow even Windows Environment. 1. SWAT_Init() has 5 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP. (over the 664 bytes) 2. SWAT_InitEx() has 7 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP. (over 664 bytes) 3. SWAT_InitEx2() has 8 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP. (over 664 bytes) 4. SWAT_InitEx3() has 9 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP. (over 664 bytes) 5. SWAT_Login() has 1 arguments. Argument didn't check buffer size, so we can overwrite EIP. (over 671 bytes) POC CODE COMING SOON Greet : BugTruck Group, PowerHacker Team (Thx, AmesianX) -- B.P.S _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability BPS (May 22)
- <Possible follow-ups>
- KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability BPS (May 22)