NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q3

[sec-adv] HouseCall / Damage Cleanup Server ActiveX Control Buffer Overflow

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Sat Jul 12 2003 - 04:31:57 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
HouseCall / Damage Cleanup Server ActiveX Control Buffer Overflow

READ ONLINE:
http://www.secunia.com/advisories/9249/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Trend Micro HouseCall 5.x
Trend Micro Damage Cleanup Server 1.x

DESCRIPTION:
A vulnerability has been reported in HouseCall and Damage Cleanup
Server (DCS), which can be exploited by malicious people to
compromise a user's system.

The vulnerability is caused due to a boundary error in the ActiveX
control installed on a user's system. This can be exploited by
supplying an overly long, specially crafted string value in a <param>
tag, which will cause a buffer overflow.

Successful exploitation may result in execution of arbitrary code on
the user's system but requires that the user is tricked into visiting
a malicious web site.

The vulnerability affects the following products:
- HouseCall version 5.7 (English)
- HouseCall version 5.5 (English and Simplified Chinese)
- Damage Cleanup Server version 1.0 (English)

SOLUTION:
Trend Micro has released an updated ActiveX control.

User's can update this automatically at:
http://housecall.trendmicro.com/

Administrators of HouseCall or DCS products should follow the
procedure in the original advisory.

REPORTED BY / CREDITS:
Cesar Cerrudo

ORIGINAL ADVISORY:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15274

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]