[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] SignKorea's ActiveX Buffer Overflow Vulnerability
From:       "Alex Park" <saintlinu () gmail ! com>
Date:       2007-03-27 4:29:56
Message-ID: c9f64a160703262129n56416530l4664b45e0b78574e () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Title: SignKorea's ActiveX Buffer Overflow Vulnerability

Version: SKCommAX ActiveX Control Module 7,2,0,2
         SKCommAX ActiveX Control Module(3280) 6,6,0,1

Discoverer: PARK, GYU TAE (saintlinu@null2root.org)

Advisory No.: NRVA07-01

Critical: High critical

Impact: Gain remote user's privilege

Where: From remote

Operating System: Windows Only

Test Client System: Windows XP Service Pack 2 in KOREAN (Patched)
                    Windows XP Service Pack 2 in ENGLISH (Patched)

Solution Vendor: SignKorea, KOSCOM

Solution: Patched

Duration of patch: 6 Day(s) - don't ask me about this I don't know exactly

Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security
Agency)
        21. 03. 2007 Vendor response and confirmed vulnerability
        23. 03. 2007 Patched by vendor
        26. 03. 2007 Public disclosure

Description:

The SKCommAX's ActiveX is common certification solution on the net
If citizen want to use Internet banking, Stock and so on like Online
banking services in Korea
then must be use PKI certification program like this ActiveX.

The SKCommAX's activex has one remote vulnerability (maybe)
If uses HTML file which was crafted by this vulnerability then you'll get
somebody's remote privilege.

See following detail describe:

SKCommAX's activex has DownloadCertificateExt() function. this function
requests two arguments(pszUserID and CertType).
This function didn't check pszUserID argument whether it's correct or not.
It's a pretty simple buffer overflow even Windows Environment.

EXPLOIT NOT INCLUDED HERE

You don't need exploit written by me bcoz you already known that


Greet: Null@Root Group, BugTruck Mailling and Information Security Team in
NCSoft.
-- 
Make Our Internet Secure With H4ck3rz

[Attachment #5 (text/html)]

<div>Title: SignKorea&#39;s ActiveX Buffer Overflow Vulnerability</div>
<p>Version: SKCommAX ActiveX Control Module \
7,2,0,2<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SKCommAX ActiveX Control \
Module(3280) 6,6,0,1</p> <p>Discoverer: PARK, GYU TAE (<a onclick="return \
top.js.OpenExtLink(window,event,this)" href="mailto:saintlinu@null2root.org" \
target="_blank">saintlinu@null2root.org</a>)</p> <p>Advisory No.: NRVA07-01</p>
<p>Critical: High critical</p>
<p>Impact: Gain remote user&#39;s privilege</p>
<p>Where: From remote</p>
<p>Operating System: Windows Only</p>
<p>Test Client System: Windows XP Service Pack 2 in KOREAN \
(Patched)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
Windows XP Service Pack 2 in ENGLISH (Patched)</p> <p>Solution Vendor: SignKorea, \
KOSCOM</p> <p>Solution: Patched</p>
<p>Duration of patch: 6 Day(s) - don&#39;t ask me about this I don&#39;t know \
exactly</p> <p>Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security \
Agency)<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 21. 03. 2007 Vendor response \
and confirmed vulnerability<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 23. 03. \
2007 Patched by vendor <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 26. 03. 2007 \
Public disclosure  </p>
<p>Description:</p>
<p>The SKCommAX&#39;s ActiveX is common certification solution on the net<br>If \
citizen want to use Internet banking, Stock and so on like Online<br>banking services \
in Korea<br>then must be use PKI certification program like this ActiveX.  </p>
<p>The SKCommAX&#39;s activex has one remote vulnerability (maybe)<br>If uses HTML \
file which was crafted by this vulnerability then you&#39;ll get<br>somebody&#39;s \
remote privilege.</p> <p>See following detail describe:</p>
<p>SKCommAX&#39;s activex has DownloadCertificateExt() function. this \
function<br>requests two arguments(pszUserID and CertType).<br>This function \
didn&#39;t check pszUserID argument whether it&#39;s correct or not.<br>It&#39;s a \
pretty simple buffer overflow even Windows Environment.  </p>
<p>EXPLOIT NOT INCLUDED HERE</p>
<p>You don&#39;t need exploit written by me bcoz you already known that </p>
<p><br>Greet: <a onclick="return top.js.OpenExtLink(window,event,this)" \
href="mailto:Null@Root" target="_blank">Null@Root</a> Group, BugTruck Mailling and \
Information Security Team in NCSoft.</p>-- <br>Make Our Internet Secure With H4ck3rz 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic