1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP EDraw Office Viewer ActiveX BO

HTTP EDraw Office Viewer ActiveX BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to exploit a vulnerability in the HP Photo and Imaging ActiveX control which could result in remote code execution.

Additional Information

The CFileFind::FindFile method in the MFC library for Microsoft Windows is prone to a buffer-overflow vulnerability because the method fails to perform adequate boundary checks of user-supplied input.

The 'FindFile' method takes two arguments, the first of which is a pointer to a string containing a filename to search for. The function allocates an internal heap memory buffer of a fixed length (592 or 320 bytes, depending on the software version), and then copies the filename string to this buffer without prior bounds-checking. When an overly long filename string is passed, the buffer is overrun with attacker-controlled data.

Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of applications that use the vulnerable method.

The MFC library included with Microsoft Windows XP SP2 is affected; other versions may also be affected.

This issue also occurs in the 'hpqutil.dll' ActiveX control identified by CLSID: F3F381A3-4795-41FF-8190-7AA2A8102F85. Specifically, the issues occurs in the 'ListFiles()' method when copying more than 320 bytes into an insufficiently sized buffer.

Affected

  • HP All-in-One Series Web Release 2.1
  • HP Photo and Image Gallery 1.1
  • Microsoft Windows XP Home SP2
  • Microsoft Windows XP Media Center Edition SP2
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows XP Tablet PC Edition SP2
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube