Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0941 -- [Win]
BitDefender Online Scanner 8 Double Decode Heap Overflow
3 December 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BitDefender Online Scan
Publisher: eEye Digital Security
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6189
Original Bulletin:
http://research.eeye.com/html/advisories/published/AD20071120.html
Comment: According to this advisory, previous users of the BitDefender
online virus scan may be vulnerable. This vulnerability can be
mitigated by re-visiting the online virus scan web site:
http://www.bitdefender.com/scan8/ie.html
Revision History: December 3 2007: Added CVE Reference
November 21 2007: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
BitDefender Online Scanner 8 Double Decode Heap Overflow
Release Date:
November 20, 2007
Date Reported:
October 24, 2007
Severity:
High (Remote Code Execution)
Vendor:
BitDefender / SOFTWIN - http://www.bitdefender.com
Systems Affected:
BitDefender Online Scan Users
Overview:
eEye Digital Security has discovered a critical remote code execution
condition within OScan8.ocx and Oscan81.ocx included by default in
BitDefender Online Anti-Virus Scanner 8.0 released on May 24th 2006.
OScan.ocx is the main ActiveX component for BitDefender's Anti-Virus
Scanner and is initialized by Internet Explorer or any other ActiveX
compatible products. After this file is initialized, it generates the
GUI for the scanner and manages all User-issued commands. Oscan.ocx has
also an internal website verification system to prevent the ActiveX
control from being initialized outside of an authorized domain.
Unfortunately due to a lack of data-sanitization, OScan.ocx can be
forced to be initialized in an unsafe domain and it can be manipulated
to corrupt arbitrary memory locations with user supplied values. This
could allow a memory corruption scenario that would lead to arbitrary
code execution or denial of service conditions.
Technical Description:
A remote vulnerability lies within a malformed request sent to
BitDefender's Online Anti-Virus Scanner ActiveX Controller, OScan.ocx.
OScan.ocx's vulnerable function, InitX, is the only function that
accepts user-supplied data and is required to initialize the control for
its use. The function InitX takes a string argument value of
bstrLocation and is used to verify the calling domain. The IDL for
InitX resembles the following:
Function InitX
{
ByVal bstrLocation as String
} As Boolean
This feature is used to safeguard the ActiveX control and prevent it
from being initialized outside of authorized domains. Users may submit
requests to host this control on their site and they are given an
initialization key. Referencing the BitDefender website you can see
that their domain is being processed with the following hex-value key:
AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0AB417E17657D7F328A2
312ACBE0B139EF3EBFB69939B1C3B24D8BC392D752B8408EAACCD809B94D38B8F9B5E97B
1C1A6')
After this domain key is processed and verified the control would
initialize and accept user commands and begin scanning files. However a
double-decoding vulnerability is present when processing Unicode values
passed to the vulnerable function as a domain key. This vulnerability
is triggered prior to the domain validation by prepending two "%" (0x25)
characters to domain key value. This causes OScan.ocx to double-encode
the parameter from Unicode and allocate arbitrary memory. By combining
this method with an overly long string, a heap-based memory corruption
scenario will result. This heap-overflow allows arbitrary values from
the user-supplied malformed string to overwrite memory within Internet
Explorer or the host ActiveX process. Although the attacker does not
control the location of where the memory overwrite occurs, the
vulnerability has a tendency to overwrite pointers that are later called
by Internet Explorer or the host ActiveX process and thus arbitrary code
execution is possible.
Protection:
Blink - Unified Client Security has proactively protected from these
vulnerabilities since their discovery.
Retina - Network Security Scanner has been updated to identify these
vulnerabilities.
Vendor Status:
BitDefender has released an update mitigating this vulnerability in the
form of Oscan82.ocx. Users can download the updated Online BitDefender
Scanner Here:
http://www.bitdefender.com/scan8/ie.html
Although the vulnerable ActiveX controls will still remain on a
workstation after revisiting the site, they are no longer referenceable.
Credit:
Greg Linares
Greetings:
Das DiREctor, The PuppetMaster, Trouble #1 and Trouble #2, Mikhail T.
Kalashnikov, W. Gibson, M. Shirow, All of Section 9, The C in PoC, the
Wireless Ninja Maiffret, 75 foot ethernet cords, the peeps at
InfinityWard, IO Interactive and Bioware for awesome games, and to Juno
Reactor and Jesper Kyd for awesome tunes.
Related Links:
Preview - Advanced Security Intelligence - http://www.eeye.com/preview
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.EEYE
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR1Np4Ch9+71yA2DNAQIsSQP/Y2Bcb4KyPGxmWCpCvM22XJyR3TJoOsdN
57L3Lim06yGm1XsbPjhiGIKFFARHQCQN7Rczd59WVBGzYCPDvo3H8LzHbA0uayMj
fktXS3zSez9iUbgzsmWiLXjtcvhmU9fJJkbQ+q62LzAjrbzVixtjMvKMOd9sgQ/+
rSBXk8rLnoY=
=TStF
-----END PGP SIGNATURE-----