A recent flaw in the "Image Upload Tool" by Aurigma allows an attacker to execute arbitrary code on victim’s computer. The tool is currently repackaged and used by Facebook and Myspace.

The Active-X control, written by imaging software company Aurigma, allows users to upload images to the hosting site from Internet Explorer. From the security site Securnia:

The vulnerability is caused due to a boundary error in the Aurigma.ImageUploader.4.1 ActiveX control (ImageUploader4.ocx) when handling strings assigned to the "Action" property. This can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the affected property.

The flaw was originally discovered by Elazar Broad. In his release to the Full Disclosure mailing list, Elazar says that he found the vulnerability in MySpaceUploader.ocx version 1.0.0.4. Experts expect that this may exist in earlier versions as well. Based on my research and testing, a malicious site could install or initiate the vulnerable Active-X control in a victim’s browser. During this, a parameter would be set to a long "payload" containing specific instructions on code to execute. The execution of this code could cause anything from deleting files, to giving the attacker command line access.

Code invoking the vulnerability is now being circulated publicly, and researchers say that it is only a matter of time until attacks are put into place. The risk is described as "Highly Critical". Developers have been notified, and users are suggested to enable the "kill-bit" for the affected CLSIDs. This would disallow these Active-X controls from installing or operating.

It is unknown at this time exactly how many sites are affected, and what versions of the Aurigma software are vulnerable.

Related:

Entry was posted on Saturday, February 2nd, 2008 at 3:53 pm under Security.

Read more entries by Ken Mitchell.
Stumble It!