AOH :: HP Unsorted B :: TB11860.HTM

BlueSkyCat ActiveX Remote Heap Overflow vulnerability



CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability
CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability



   CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

BACKGROUND:
==========
   BlueSkychat is a professional voice and video chat software widely used
by large chat websites in china.


DESCRIPTION:
===========
   Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered
a vulnerability .

   Remote exploitation of a buffer overflow in an ActiveX control 
distributed
with Bluesky.cn could allow for the execution of arbitrary code.

   When Blueskychat are installed, they register the following ActiveX
control on the system:

   ProgId: V2.V2Ctrl.1
   ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
   File: v2.ocx

   This control contains a buffer overflow in its ConnecttoServer() method.

   This is a clent side vulnerability. So the clients of following chat
servers which install the affected BlueSkyCat software are affected.
bliao	 http://www.bliao.com 
qqliao	 http://www.qqliao.com 
7liao	 http://www.7liao.com 
haoliao	 http://www.haoliao.net 
51liao	 http://chat.51liao.net 
heshang	 http://www.heshang.net 
xicn	 http://vchat.xicn.net 
CN104	 http://www.cn104.com 
liao-tian http://www.liao-tian.com 
aliao	 http://www.aliao.net 
kuailiao http://www.kuailiao.com 
mtliao	 http://www.mtliao.com 
pj0427	 http://www.pj0427.com 
uighur	 http://chat.uighur.cn 
wmliao	 http://www.wmliao.com 


CVE:
===We request a CVE number to assign to this vulnerability.


Affected version:
===============v2.ocx  version 8.1.2.0 and prior


vendor:
======BlueSky http://www.bluesky.cn/ 


POC:
=======











Code Audit Labs Suggestion
=========================for vendor:
   Do a full coverage Code Audit or Code Review

for client:
The following workarounds are available for this vulnerability:
     * Disable Active Scripting
     * Unregister the vulnerable control
     * Set the killbit for the vulnerable control
* or update the software from http://www.bluesky.cn 


DISCLOSURE TIMELINE:
===================1: 2007-07-29 notice vendor (mail to blueskychat@gmail.com) 
2: 2007-07-29 the vendor reply "thank,had fixed it".
3: 2007-07-30 we check it out, in fact,the websites which install the
   software did not almost all be updated,send mail to vendor again.
4: 2007-07-31 release this report


About Us:
========Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com 


Original LINK:
=============
1: 
http://www.vulnhunt.com/advisories/CAL-20070730-1_BlueSkyCat_v2.ocx_ActiveX_remote_heap_overflow_vulnerability_en.txt 
2: http://CodeAudit.blogspot.com 

EOF


-- 
Code Audit Labs
http://www.vulnhunt.com/ 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.