1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Gracenote CddbCtrl SetClientInfo BO

HTTP Gracenote CddbCtrl SetClientInfo BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature attempts to detect buffer overflow vulnerability by passing a large parameters to a function of the CDDBControl ActiveX control.

Additional Information

GraceNote CDDBControl ActiveX is a client control module for a content-delivery engine; it allows CD information lookup.

CDDBControl ActiveX Control is prone to a buffer-overflow vulnerability. The software fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.

This issue resides in the 'SetClientInfo()' method of the affected ActiveX control and presents itself when specially crafted data is passed through the first argument.

Invoking the object from a malicious website or HTML email may trigger the condition. If the vulnerability were successfully exploited, this would corrupt process memory, resulting in arbitrary code execution. Arbitrary code would run in the context of the client application using the affected ActiveX control.

AOL versions 7.0 revision 4114.563, 8.0 revision 4129.230, and 9.0 Security Edition revision 4156.910 include the vulnerable software. Other versions may also be affected.

Affected

  • AOL Client Software 7.0, 8.0, 9.0 Security
  • GraceNote CDDBControl ActiveX
  • Nokia PC Suite 6.7, 6.8
  • Sony CONNECT Player
  • Sony SonicStage 3.3, 3.4
  • Sony SonicStage Mastering Studio 2.1, 2.1.1, 2.2, 2.2.1

Response

The vendor has released software updates to address this issue. Please contact the vendor for more information. See the references for details.

Fixes for affected AOL customers are available from the vendor through the AOL Client software's automatic update feature.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube