Intrusion Detection

AwingSoft Web3D Player (WindsPly.ocx) "SceneURL()" Remote Buffer Overflow

2009-07-16T11:03:00.009+05:30

Overview:
A vulnerability has been reported in Awingsoft Winds3D Viewer, which can be exploited by malicious people to compromise a user's system.

A boundary error in the handling of the "SceneUrl()" method can be exploited to cause a heap-based buffer overflow by supplying an overly long argument.

Impact:
Successful exploitation allows execution of arbitrary code.

Affected Software:
Awingsoft Winds3D Viewer 3.5.0.0 Beta
Awingsoft Winds3D Viewer 3.0.0.5

Vulnerable Version:
The Vulnerability is confirmed in Awingsoft Winds3D Viewer 3.5.0.0 Beta and Awingsoft Winds3D Viewer 3.0.0.5. Other versions may also be affected.

Solution:
Disable the plug-in.

References:
http://secunia.com/advisories/35764/
http://milw0rm.com/exploits/9116
http://www.shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; distance:0; content:"SceneURL"; nocase; classtype:web-application-attack; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; sid:2009xxxx; rev:1;)

CVSS Base Score: 9.3
Risk factor: High

EDraw PDF Viewer ActiveX Control "FtpDownloadFile()" Insecure Method

2009-06-19T11:54:00.002+05:30

Overview:
A vulnerability has been reported in the EDraw PDF Viewer ActiveX control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to FtpConnect() function, which could download any file from remote FTP server and put on user's disk and an insecure "FtpDownloadFile()" method. This can be exploited to download files to arbitrary locations on a user's system when visiting a malicious website.

Impact:
Successful exploitation allows execution of arbitrary code.

Affected Software:
Edraw PDF Viewer Component 3.2.0.126.

Vulnerability Version:
The vulnerability has been reported in Edraw PDF Viewer Component 3.2.0.126. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

References:
http://secunia.com/advisories/35509/
http://archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EDraw PDF Viewer ActiveX Control Insecure Method"; flow:to_client,established; content:"clsid"; nocase; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; distance:0; pcre:"/(FtpConnect|FtpDownloadFile)/i"; classtype:web-application-attack; reference:url,secunia.com/advisories/35509/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-06/0198.html; sid:xxxxxxxx; rev:1;)

CVSS Base Score: 9.3
Risk factor: High

McAfee Policy Manager 'naPolicyManager.dll' Arbitrary File Overwrite Vulnerability

2009-06-19T11:21:00.002+05:30

Overview:
McAfee Policy Manager is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content system.
A remote user can create specially crafted HTML that, when loaded by the target user, will invoke the WriteTaskDataToIniFile() method in the 'naPolicyManager.dll' ActiveX control and overwrite files on the target system with the privileges of the target user. A remote user can exploit this to cause arbitrary code to be executed on the target user's system.

Impact:
An attacker can exploit this issue to corrupt or overwrite arbitrary '.ini' files on a victim's computer in the context of the application using the ActiveX control (typically Internet Explorer). Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Affected software:
McAfee Policy Manager 0

Solution:
Set the kill-bit for the affected ActiveX control.

References:
http://www.securityfocus.com/bid/35404/
http://securitytracker.com/alerts/2009/Jun/1022413.html
http://milw0rm.com/exploits/8970

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"McAfee Policy Manager naPolicyManager.dll ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; distance:0; content:"WriteTaskDataToIniFile"; nocase; classtype:web-application-attack; reference:url,securitytracker.com/alerts/2009/Jun/1022413.html; reference:bugtraq,35404; reference:url,milw0rm.com/exploits/8970; sid:xxxxxxx; rev:1;)

CVSS Score Report: 9.3
Risk factor: High

SAP AG SAPgui 'sapirrfc.dll' ActiveX Control Buffer Overflow Vulnerability

2009-06-09T16:40:00.004+05:30

Overview:
SAP AG SAPgui (sapirrfc.dll) is vulnerable to a buffer overflow. By persuading a victim to visit a specially-crafted Web page that passes an overly long string to the Accept() method, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash.

Impact:
Successfully exploiting these issues allows an attacker to to execute arbitrary code within the context of an application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.

Affected Software:
SAP AG SAPgui 6.4

Vulnerable version:
SAPgui 6.4 is vulnerable; other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Reference:
http://www.securityfocus.com/bid/35256/
http://xforce.iss.net/xforce/xfdb/50977
http://milw0rm.com/exploits/8899

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; distance:0; content:"Accept"; nocase; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/50977; reference:bugtraq,35256; reference:url,milw0rm.com/exploits/8899; sid:20090320; rev:1;)

CVSS Base Score: 9.3
Risk factor: High

What is the difference between offset, distance, depth and within of SNORT modifiers?

2009-06-04T12:28:00.005+05:30

All content matches and modifiers start from the first byte of the payload. None of them will look in the header, that's all parsed and can be matched using other directives.

Depth is how far to LOOK into the payload from the start of the payload.
Distance is how far to SKIP from the LAST byte of the previous match before looking for the current match
Offset is how far to SKIP into the packet from the beginning of the payload before looking for the current match
Within says only look in the NEXT x bytes AFTER the last byte of the last content match.

So offset and depth are from the start of payload and often used together, distance and within are similar but relevant to the last content match.

Taken from Emerging Threats.........

Roxio CinePlayer IAManager.dll ActiveX control buffer overflow

2009-06-02T14:37:00.002+05:30

Overview:
Roxio CinePlayer ActiveX control (IAManager.dll) is vulnerable to a heap-based buffer overflow exploit. It persuades a victim to visit a specially-crafted Web page that passes an overly long string to the SetIAPlayerName() method.

Impact:
A Successful exploitation could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash.

Affected Software:
Roxio, CinePlayer 3.2

Solution:
Set the kill-bit for the affected ActiveX control.

References:
http://xforce.iss.net/xforce/xfdb/50868
http://milw0rm.com/exploits/8835

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; distance:0; content:"SetIAPlayerName"; nocase; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; sid:1000095; rev:1;)

CVSS Base Score: 9.3
Risk factor: High

Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability

2009-06-02T14:21:00.002+05:30

Overview:
Roxio CinePlayer is prone to a stack-based buffer-overflow vulnerability because it fails to sufficiently check boundaries of user-supplied input before copying it to an insufficiently sized memory buffer.

Impact:
Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

Affected Software:
Roxio CinePlayer 3.2

Vulnerable version:
Roxio CinePlayer 3.2 is vulnerable to this issue; other versions may also be affected.

Solution:
Remove or Set the kill-bit for the affected ActiveX control.

Reference:
http://www.securityfocus.com/bid/23412/
http://milw0rm.com/exploits/8824

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; distance:0; content:"DiskType"; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8824;reference:bugtraq,23412; sid:20090263; rev:1;)

CVSS Base Score: 9.3
Risk factor : High

Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow Vulnerabilities

2009-05-27T15:14:00.006+05:30

Overview: Sun Java Runtime Environment is prone to multiple remote buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.

By persuading a victim to visit a specially-crafted Web page that passes an overly long string to the setInstallerType, setAdditionalPackages, installLatestJRE, compareVersion, installJRE, getStaticCLSID and launch methods, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash.

Impact: Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.

Affected Software:
Sun JRE 6.0 Update 7
Sun JRE 6.0 Update 6
Sun JRE 6.0 Update 5
Sun JRE 6.0 Update 4
Sun JRE 6.0 Update 3
Sun JRE 6.0 Update 2
Sun JRE 6.0 Update 13
Sun JRE 6.0 Update 12
Sun JRE 6.0 Update 11
Sun JRE 6.0 Update 10
Sun JRE 6.0 Update 1

Vulnerable Version: Java Runtime Environment 6 Update 13 is vulnerable; other versions may also be affected.

Solution: Remove or set the killbit for the affected control.

IDS rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; classtype:web-application-attack; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; sid:1000092; rev:1;)

References:
http://xforce.iss.net/xforce/xfdb/50508
http://www.securityfocus.com/bid/34931
http://www.milw0rm.com/exploits/8665

CVSS Base Score: 9.3
Risk factor: High

Chinagames ActiveX Control 'CreateChinagames()' Buffer Overflow Vulnerability

2009-05-23T17:18:00.007+05:30

Overview: Chinagames ActiveX control is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

The vulnerability is caused due to a boundary error in the bundled CGAgent ActiveX control (CGAgent.dll). This can be exploited to cause a stack-based buffer overflow by passing an overly long argument to the "CreateChinagames()" method.

Impact: Successfully exploiting these issues allows an attacker to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

Affected Software: Chinagames 2009
Solution: Set the kill-bit for the affected ActiveX control.

IDS Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; distance:0; content:"CreateChinagames"; nocase; classtype:web-application-attack; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; sid:200900053; rev:1;)

Reference:
http://www.securityfocus.com/bid/34871/
http://milw0rm.com/exploits/8758
http://secunia.com/advisories/35005/
CVSS Base Score: 9.3
Risk factor: High

BaoFeng Storm ActiveX Control 'SetAttributeValue()' Buffer Overflow Vulnerability

2009-05-23T16:35:00.011+05:30

Overview: BaoFeng Storm ActiveX control is prone to a buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

The issue affects the 'SetAttributeValue()' function of the 'Config.dll' control identified by CLSID:
BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05.

Impact: An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

Affected software:
BaoFeng Storm 2.7.9.10
BaoFeng Storm 2.7.9.8
BaoFeng Storm 2.8
BaoFeng Storm 2.8
BaoFeng Storm 2.9
BaoFeng Storm 3.09.03.25
BaoFeng Storm 3.09.03.30
BaoFeng Storm 3.09.04.17
Solution: Set the kill-bit for the affected ActiveX control.

IDS Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; distance:0; content:"SetAttributeValue"; nocase; classtype:web-application-attack; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; sid:900001; rev:1;)

References: http://www.securityfocus.com/bid/34869/ ; http://vupen.com/english/advisories/2009/1392 ; http://www.juniper.net/security/auto/vulnerabilities/vuln34869.html ; http://milw0rm.com/exploits/8757
CVSS Base Score: 9.3
Risk factor: High

AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability

2009-05-20T17:14:00.011+05:30

Overview: AOL Radio AmpX ActiveX control is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately check boundaries on user-supplied input.

Impact: Successfully exploiting these issues allows an attacker to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions.

Affected Software: AOL AmpX.dll 2.4 6
Vulnerable version: AmpX.dll 2.4.0.6 is vulnerable, other versions may also be affected.
Solution: Set the kill-bit for the affected ActiveX control.

IDS Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; distance:0; content:"ConvertFile"; nocase; classtype:web-application-attack; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; sid:900000; rev:1;)

Reference: http://www.securityfocus.com/bid/35028 ; http://milw0rm.com/exploits/8733
CVSS Base Score: 9.3
Risk factor: High