full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Webex atucfobj Module Acti

[Full-disclosure] Webex atucfobj Module ActiveX Control Buffer Overflow Vulnerability

From: Elazar Broad <elazar_at_nospam>
Date: Wed Aug 06 2008 - 17:20:02 GMT
To: full-disclosure@lists.grok.org.uk


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Who:
Webex
http://www.webex.com/

What:
Webex Meeting Manager
http://support.webex.com/support/downloads.html

How:
The Webex Meeting Manager utilizes several ActiveX controls, one of which is vulnerable to a stack based buffer overflow. The atucfobj Module contains a single method called NewObject() who's only parameter is vulnerable to this issue.

This issue has been confirmed in version 20.2008.2601.4928, prior versions are believed to vulnerable as well.

atucfobj.dll version 20.2008.2601.4928
{32E26FD9-F435-4A20-A561-35D4B987CFDC} Fix:
The vendor has released version 20.2008.2606.4919 of this control, which fixes this issue. The control should be updated when the user joins a meeting.

Workaround:
Set the killbit for the affected control. See http://support.microsoft.com/kb/240797

Credit:
When I reported this issue to the vendor, they had stated that they were aware of it, but would not say whether it was the result of an internal audit or an independent researcher.

Timeline: 06/20/2008 -> Issue reported to the vendor 06/21/2008 <- Vendor responds asking for further details 06/22/2008 -> Details sent with PoC 06/25/2008 <- Vendor responds stating that they are aware of this issue
08/06/2008 - Disclosure

Elazar

-----BEGIN PGP SIGNATURE-----

Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0

wpwEAQECAAYFAkiZ3PAACgkQi04xwClgpZiyOgP8CM9oC+m3tr5TBU6ZbvacAcq/SqXu zIUjqfGWz/GNaRRXISzPLrp7aYwepxXL/uxp+zmHR+h0phGOf2FoLmuBY1g3WULmaFu1 oQbGbVfNuS21qH/YvC9mWuOFSeoYOogsyKDGX1Iha6jNDsj5+JlbAIsqk9xwyb021eTm BpGN3W8=
=tQOJ
-----END PGP SIGNATURE-----
-- Hotel pics, info and virtual tours. Click here to book a hotel online. http://tagline.hushmail.com/fc/Ioyw6h4eRCkjWyUGURkqKkn8TNo5LNJlfxlxQ4nlv0rtj3ey80N9EU/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/