Saturday, September 15, 2007

HP ActiveX Remote Heap Overflow PoC

http://www.milw0rm.com/exploits/4409

introduction
------------
GOODFELLAS security research team has found a bug in a dll included in at least the following HP products:


* HP All-in-One Series Web Release
* HP Photo & Imaging Gallery version 1.1

The affected dll is called hpqutil.dll at least in it's version 2.0.0.138 in English, and specifically the problem is a heap overflow.

summary
-------
Remotable exploitation of this heap overflow could allow a user to execute arbitriary code or crash internet explorer. The heap overflow is related to a call to lstrcpyA() inside a function that is not checking the buffer's bounds. This call is made from the FindFile() function the dll overloaded from MFC42. The dll allocates 320 bytes for the buffer where some arbitrarily long user input is to be stored.

This bug is related with "FileFind class from MFC Library cause heap overflow"

You could view more details in
http://goodfellas.shellcode.com.ar/own/VULWKU20070614

impact
------
This exploitable bug crashes internet explorer and if used along other techniques could allow for remote code execution. Explotation requires a targetted user to load a web page containing the crafted activeX control with internet explorer, it is also required to have activeX enabled.

No comments:

Post a Comment