|
Issues the date: 2008-08-20
Renewal date: 2008-08-22
Is affected the system:
Anzio Web Print Object 3.2.24
Anzio Web Print Object 3.2.19
Anzio Print Wizard Server Edition 3.2.19
Anzio Print Wizard Personal Edition 3.2.19
Not affected system:
Anzio Web Print Object 3.2.30
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30545
CVE(CAN) ID: CVE-2008-3480
Anzio Web Print Object (WePO) is Windows ActiveX the web page module, uses from the homepage start printing duty.
WePO ActiveX module's mainurl parameter uses in assigning to print the content the local filename or URL:
/-----------
<param name= " mainurl " value= " http://www.somewhere.com/myreport.pcl " >
- -----------/
WePO takes OLECHAR the form the mainurl parameter value and uses oleaut32.dll API SysAllocStringLen its transformation is the BSTR string of character. SysAllocStringLen the returns BSTR string of character indicator saved in the stack.
/-----------
024F64B8 . 51 PUSH ECX
~ ; length of “mainurl” value
024F64B9 . 52 PUSH EDX
~ ; pointer to “mainurl” value
024F64BA . E8 4DB0FFFF CALL JMP.oleaut32.SysAllocStringLen
024F64BF . 5A POP EDX
024F64C0 . 85C0 TEST EAX, EAX
024F64C2 . ^0F84 94F9FFFF JE PWBUTT~1.024F5E5C
024F64C8 . 8902 MOV DWORD PTR DS:[EDX], EAX
~ ; ; Save BSTR pointer to stack
024F64CA > C3 RETN
- -----------/
Afterward has not confirmed the length then ASCII the form mainurl value copy to stack's on buffer.
/-----------
024F300C/$ 56 PUSH ESI
024F300D |. 57 PUSH EDI
024F300E |. 89C6 MOV ESI, EAX
~ ; ESI = pointer to “mainurl” value
024F3010 |. 89D7 MOV EDI, EDX
~ ; EDI = pointer to destination buffer in the stack
024F3012 |. 89C8 MOV EAX, ECX
~ ; ECX = length of “mainurl” value
024F3014 |. 39F7 CMP EDI, ESI
Other pages: : 1 * 2 * Next>>
|
You are here: hacking technology
> System crack
> Content
Category: Home
> System crack