Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability Tested against: Microsoft Windows Vista SP2 Microsoft Windows XP SP3 Microsoft Windows 2003 R2 SP2 Internet Explorer 7/8/9 download url of a test version: file tested: Dell_SX2210-Monitor_Webcam SW RC1.1_ R230103.exe This package contains the Dell Webcam Central software developed by Creative Technologies for Dell. info: I think this is a very common ActiveX, probably bundled with Dell Notebooks. Background: The mentioned software carries a third party ActiveX Control with the following settings. Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1 CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED} Safe for Scripting (Registry): True Safe for Initialization (Registry): True This control is marked safe for scripting and safe for initialization, then Internet Explorer will allow scripting of this control from remote. Vulnerability: The 'BackImage' ,'ScriptName', 'ModelName' and 'SRC' properties can be used to trigger a buffer overflow condition. The crazytalk4.ocx ActiveX control will load the close CrazyTalk4Native.dll library and, while constructing a local file path, will call sprintf() with an insufficient size. Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012EE24 023D4FAB msvcrt.sprintf CrazyTal.023D4FA5 0012EE28 0012F180 s = 0012F180 0012EE2C 023F431C format = "%s%s%s" 0012EE30 042A2D6C <%s> = "C:\DOCUME~1\Admin\LOCALS~1\Temp\RLTMP\~RW463\" 0012EE34 0012EF5C <%s> = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 0012EE38 0012EE58 <%s> = "" 0012F164 023D601D CrazyTal.023D4F20 code, CrazyTalk4Native.dll : ... 023D4F80 85C0 test eax,eax 023D4F82 74 38 je short CrazyTal.023D4FBC 023D4F84 8B9C24 2C030000 mov ebx,dword ptr ss:[esp+32C] 023D4F8B 8D4424 1C lea eax,dword ptr ss:[esp+1C] 023D4F8F 8D8C24 20010000 lea ecx,dword ptr ss:[esp+120] 023D4F96 50 push eax 023D4F97 81C6 443B0000 add esi,3B44 023D4F9D 51 push ecx 023D4F9E 56 push esi 023D4F9F 68 1C433F02 push CrazyTal.023F431C ; ASCII "%s%s%s" 023D4FA4 53 push ebx 023D4FA5 FF15 E4F33E02 call dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf ... As attachment, proof of concept code which overwrites EIP and SEH. Note: 0:008> lm -vm CrazyTalk4Native start end module name 021c0000 0220b000 CrazyTalk4Native (deferred) Image path: C:\PROGRA~1\COMMON~1\REALLU~1\CTPLAY~1\CrazyTalk4Native.dll Image name: CrazyTalk4Native.dll Timestamp: Thu May 17 12:13:42 2007 (464C2AD6) CheckSum: 00048AB2 ImageSize: 0004B000 File version: 4.5.815.1 Product version: File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: C3D ProductName: CrazyTalk4 ActiveX Control Module InternalName: CrazyTalk4 OriginalFilename: CrazyTalk4.OCX ProductVersion: 4, 0, 0, 1 FileVersion: 4, 5, 815, 1 PrivateBuild: 4, 5, 815, 1 SpecialBuild: 4, 5, 815, 1 FileDescription: CrazyTalk4 Native Control Module LegalCopyright: Copyright (C) 2005 LegalTrademarks: Copyright (C) 2005 Comments: Copyright (C) 2005 POC: