mailing list archives
SignKorea's ActiveX Buffer Overflow Vulnerability
From: "Alex Park" <saintlinu () gmail com>
Date: Tue, 27 Mar 2007 12:29:56 +0800
Title: SignKorea's ActiveX Buffer Overflow Vulnerability
Version: SKCommAX ActiveX Control Module 7,2,0,2
SKCommAX ActiveX Control Module(3280) 6,6,0,1
Discoverer: PARK, GYU TAE (saintlinu () null2root org)
Advisory No.: NRVA07-01
Critical: High critical
Impact: Gain remote user's privilege
Where: From remote
Operating System: Windows Only
Test Client System: Windows XP Service Pack 2 in KOREAN (Patched)
Windows XP Service Pack 2 in ENGLISH (Patched)
Solution Vendor: SignKorea, KOSCOM
Duration of patch: 6 Day(s) - don't ask me about this I don't know exactly
Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security
21. 03. 2007 Vendor response and confirmed vulnerability
23. 03. 2007 Patched by vendor
26. 03. 2007 Public disclosure
The SKCommAX's ActiveX is common certification solution on the net
If citizen want to use Internet banking, Stock and so on like Online
banking services in Korea
then must be use PKI certification program like this ActiveX.
The SKCommAX's activex has one remote vulnerability (maybe)
If uses HTML file which was crafted by this vulnerability then you'll get
somebody's remote privilege.
See following detail describe:
SKCommAX's activex has DownloadCertificateExt() function. this function
requests two arguments(pszUserID and CertType).
This function didn't check pszUserID argument whether it's correct or not.
It's a pretty simple buffer overflow even Windows Environment.
EXPLOIT NOT INCLUDED HERE
You don't need exploit written by me bcoz you already known that
Greet: Null () Root Group, BugTruck Mailling and Information Security Team in
Make Our Internet Secure With H4ck3rz
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- SignKorea's ActiveX Buffer Overflow Vulnerability Alex Park (Mar 27)