by cocoruder(frankruer_at_hotmail.com)
http://ruder.cdut.net

Summary:

Thunder is a very popular downloading software in China, which uses P2SP technology, more details please visit:

http://www.xunlei.com

A remote code execute vulnerability exists in the ActiveX Control of Thunder 5. A remote attacker who successfully exploits this vulnerability can completely take control of the affected system.

Affected Software Versions:

Thunder 5(Version of "DapCtrl*.dll" <= 1.5.578.28)

Details:

The vulnerability exists in the property "Put" educed by ""DapCtrl*.dll", following are some related imformations:

InprocServer32: C:\Documents and Settings\All Users\Application Data\Thunder Network\KanKan\DapCtrl1.5.578.28.483.dll
ClassID : ACACC6EB-1FBA-4E13-A729-53AEB2DF54F8

[id(0x00000002)]
long Put([in] BSTR name, [in] VARIANT value);

Setting some special values (object) to the first parameter "name" can corrupt the memory, more careful crafted corrupting can make the program run to a special fixed address which can be covered while the attacker using javascript heap spray technology, that makes arbitrary code can be executed reliably.

Solution:

The new edition of Thunder 5 has fixed this vulnerability, the vendor's advisory can be found at:

http://safe.xunlei.com/announce/xl08040501.html

Disclosure Timeline:
2008.04.18 Vendor notified
2008.04.18 Vendor responded
2008.04.29(before) The vulnerability was fixed silently in the new edition
2008.04.29 The vendor replied that they need more than 1.5 month to push the patch(!?)
2008.06.13 The vendor's advisory released
2008.06.13 Advisory released
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(6861)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive