Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17098
HistoryMay 25, 2007 - 12:00 a.m.

[Full-disclosure] KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability

2007-05-2500:00:00
vulners.com
13
JSON

Title : KSign KSignSWAT ActiveX Control Multiple Buffer Overflows Vulnerability

Version : AxKSignSWAT.dll (KSignSWAT ActiveX Control) ver. 2.0.3.3

Discoverer : KIM, KEE HONG ([email protected])

Critical : High Critical

Test system : Windows XP SP2 Korean (All patched)
: Windows XP SP2 English (All patched)

Vendor : KSign (www.ksign.com)

Solution : patched.

Note : 2007/05/14 notified KISA (Korean Information Security Agency)
2007/05/15 Confirmed Vulnerability
2007/05/21 Patched by Vendor (maybe…)
2007/05/22 Disclosure.

Description:

The KSign's KSignSWAT ActiveX is common certification solution if people use
Internet banking, Goverment Sites and Stock Trading.

The KsignSWAT ActiveX has multiple buffer overflow vulnerability.

if uses HTML file which was crafted by this vulnerability,
then you'll get system admin's privilege.

KSignSWAT ActiveX has 5 vulnerable function. -SWAT_Init(), SWAT_InitEx(),
SWAT_InitEX2(), SWAT_InitEx3(), SWAT_Login(). This functions requests several
arguments (over the 2 arguments) and this functions didn't check argument buffer
size.

It's a very simple buffer overflow even Windows Environment.

  1. SWAT_Init()
    has 5 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
    (over the 664 bytes)

  2. SWAT_InitEx()
    has 7 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
    (over 664 bytes)

  3. SWAT_InitEx2()
    has 8 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
    (over 664 bytes)

  4. SWAT_InitEx3()
    has 9 arguments. 2nd argument didn't check buffer size, so we can overwrite EIP.
    (over 664 bytes)

  5. SWAT_Login()
    has 1 arguments. Argument didn't check buffer size, so we can overwrite EIP.
    (over 671 bytes)

POC CODE COMING SOON

Greet : BugTruck Group, PowerHacker Team (Thx, AmesianX)


B.P.S

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON