Title: BankTown's ActiveX Buffer Overflow Vulnerability
Version: BankTown Client Control 1,4,2,51817
Discoverer: PARK, GYU TAE (firstname.lastname@example.org)
Advisory No.: NRVA06-01
Critical: High critical
Impact: Gain remote user's privilege
Where: From remote
Operating System: Windows Only
Test Client System: Windows XP Service Pack 2 with full patched in KOREAN
Solution: Unpatched yet
Notice: 21. 04. 2006 initiate notified
26. 04. 2006 Second notified
02. 05. 2006 Third notified but not responded
03. 05. 2006 Disclosure Vulnerability
The BankTown's ActiveX is common certification solution on the net
If citizen want to use Internet banking, Stock and so on like Online
banking services in Korea
then must be use PKI certification program like this ActiveX.
The BankTown's activex has one remote vulnerability.
If using HTML file that crafted by this vulnerability then you'll get
somebody's remote privilege.
See following detail describe:
BankTown's activex have SetBannerUrl() function. this function
requests two arguments(id and url).
This function didn't check url argument that is good or not.
If you can put magic string like
'http://www.hacked_banktown.com/_magic_string_/' then IE must lead to
buffer overflow right now.
You'll get an EIP like '0x41414141'. It's pretty simple buffer
overflow if you know 'magic strings and length'
EXPLOIT INCLUDED HERE