SignKorea's ActiveX Buffer Overflow Vulnerability

["Alex Park" <saintlinu () gmail com>]

Title: SignKorea's ActiveX Buffer Overflow Vulnerability

Version: SKCommAX ActiveX Control Module 7,2,0,2
        SKCommAX ActiveX Control Module(3280) 6,6,0,1

Discoverer: PARK, GYU TAE (saintlinu () null2root org)

Advisory No.: NRVA07-01

Critical: High critical

Impact: Gain remote user's privilege

Where: From remote

Operating System: Windows Only

Test Client System: Windows XP Service Pack 2 in KOREAN (Patched)
                   Windows XP Service Pack 2 in ENGLISH (Patched)

Solution Vendor: SignKorea, KOSCOM

Solution: Patched

Duration of patch: 6 Day(s) - don't ask me about this I don't know exactly

Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security
Agency)
       21. 03. 2007 Vendor response and confirmed vulnerability
       23. 03. 2007 Patched by vendor
       26. 03. 2007 Public disclosure

Description:

The SKCommAX's ActiveX is common certification solution on the net
If citizen want to use Internet banking, Stock and so on like Online
banking services in Korea
then must be use PKI certification program like this ActiveX.

The SKCommAX's activex has one remote vulnerability (maybe)
If uses HTML file which was crafted by this vulnerability then you'll get
somebody's remote privilege.

See following detail describe:

SKCommAX's activex has DownloadCertificateExt() function. this function
requests two arguments(pszUserID and CertType).
This function didn't check pszUserID argument whether it's correct or not.
It's a pretty simple buffer overflow even Windows Environment.

EXPLOIT NOT INCLUDED HERE

You don't need exploit written by me bcoz you already known that


Greet: Null@Root Group, BugTruck Mailling and Information Security Team in
NCSoft.
--
Make Our Internet Secure With H4ck3rz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/