TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... The ZDI has published over 1100 high-risk vulnerabilities since the inception of the program.

America Online SuperBuddy ActiveX Control Code Execution Vulnerability

TPTI-07-03: March 30th, 2007

CVE ID

Affected Vendors

    America Online

Affected Products

TippingPoint™ IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 4553. For further product information on the TippingPoint IPS:

Vulnerability Details

This vulnerability allows attackers to execute arbitrary code on vulnerable installations of America Online with Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists in the LinkSBIcons() method exposed through the ActiveX control 'Sb.SuperBuddy.1' with the following CLSID:

189504B8-50D1-4AA8-B4D6-95C8F58A6414

The affected control implements the IObjectSafety interface and therefore allows a web site to invoke the control under default Internet Explorer settings without any further user interaction. The vulnerable method is defined as:

int LinkSBIcons(IUnknown *interface)

As the method accepts an unchecked user-controlled value specifying a pointer to an object, a subsequent function dereference is completely under attacker control. This can easily lead to arbitrary code execution under the context of the logged in user.

It is important to note that many PCs ship with this vulnerable component by default, including Dell and Hewlett-Packard among others. Since AOL is addressing this issue as an update through their internet service, many users are left without any recourse for mitigation. Concerned users can specify a "kill bit" for the affected control to prevent it from loading within Internet Explorer. To do so, create the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}

With the value 'Compatibility Flags' set to 0x400.

Vendor Response


America Online states: America Online has issued an update to correct this vulnerability as of 3/29/2007. The update is automatically applied the next time users log into the AOL service

Disclosure Timeline

    2006-07-18 - Vulnerability reported to vendor
    2007-03-30 - Coordinated public release of advisory

Credit

This vulnerability was discovered by: