[VulnWatch] CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability

From: Code Audit Labs (vulnhunt@private)
Date: Mon Jul 30 2007 - 18:10:43 PDT

   CAL-20070730-1 BlueSkyCat ActiveX Remote Heap Overflow vulnerability


   BlueSkychat is a professional voice and video chat software widely used
by large chat websites in china.


   Code Audit Labs Code Audit for BlueSkyCat ActiveX Control and discovered
a vulnerability .

   Remote exploitation of a buffer overflow in an ActiveX control
with Bluesky.cn could allow for the execution of arbitrary code.

   When Blueskychat are installed, they register the following ActiveX
control on the system:

   ProgId: V2.V2Ctrl.1
   ClassId: 2EA6D939-4445-43F1-A12B-8CB3DDA8B855
   File: v2.ocx

   This control contains a buffer overflow in its ConnecttoServer() method.

   This is a clent side vulnerability. So the clients of following chat
servers which install the affected BlueSkyCat software are affected.
bliao	      http://www.bliao.com
qqliao	      http://www.qqliao.com
7liao	      http://www.7liao.com
haoliao	      http://www.haoliao.net
51liao	      http://chat.51liao.net
heshang	      http://www.heshang.net
xicn	      http://vchat.xicn.net
CN104	      http://www.cn104.com
liao-tian     http://www.liao-tian.com
aliao	      http://www.aliao.net
kuailiao      http://www.kuailiao.com
mtliao	      http://www.mtliao.com
pj0427	      http://www.pj0427.com
uighur	      http://chat.uighur.cn
wmliao	      http://www.wmliao.com

We request a CVE number to assign to this vulnerability.

Affected version:
v2.ocx  version and prior

BlueSky http://www.bluesky.cn/

<OBJECT ID="com" CLASSID="CLSID:{2EA6D939-4445-43F1-A12B-8CB3DDA8B855}">
<SCRIPT language="javascript">

function ClickForRunCalc()
     var heapSprayToAddress = 0x0d0d0d0d;

     var payLoadCode = "A" ;
     while (payLoadCode.length <= 10000) payLoadCode+='A';
<button onclick="javascript:ClickForRunCalc();">ClickForRunCalc</button>

Code Audit Labs Suggestion
for vendor:
   Do a full coverage Code Audit or Code Review

for client:
The following workarounds are available for this vulnerability:
     * Disable Active Scripting
     * Unregister the vulnerable control
     * Set the killbit for the vulnerable control
     * or update the software from http://www.bluesky.cn

1: 2007-07-29 notice vendor (mail to blueskychat@private)
2: 2007-07-29 the vendor reply "thank,had fixed it".
3: 2007-07-30 we check it out, in fact,the websites which install the
   software did not almost all be updated,send mail to vendor again.
4: 2007-07-31 release this report

About Us:
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"

Original LINK:

2: http://CodeAudit.blogspot.com


Code Audit Labs

This archive was generated by hypermail 2.1.3 : Tue Jul 31 2007 - 12:43:13 PDT