______________________________________________________________________

-------------------------- NSOADV-2010-006 ---------------------------
 
    Authentium Command Free Scan ActiveX Control buffer overflow                 
______________________________________________________________________
______________________________________________________________________
                                                       
                               111101111                              
                        11111 00110 00110001111                       
                   111111 01 01 1 11111011111111                      
                11111  0 11 01 0 11 1 1  111011001                    
             11111111101 1 11 0110111  1    1111101111                
           1001  0 1 10 11 0 10 11 1111111  1 111 111001              
         111111111 0 10 1111 0 11 11 111111111 1 1101 10              
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100        
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011      
       0111111110 0110 1110 1 0 11101111111111111011 11100  00        
       01111 0 10 1110 1 011111 1 111111111111111111111101 01         
       01110 0 10 111110 110 0 11101111111111111111101111101          
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111         
      111110110 10 0111110 1 0 0 1111111111111111111111111 110        
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100       
   111 10  110 101011110010   11111111111111111111111 11 0011100      
   11 10     001100     0001      111111111111111111 10 11 11110      
  11110       00100      00001     10 1  1111  101010001 11111111     
  11101        0  1011     10000    00100 11100        00001101 0     
  0110         111011011             0110   10001        101 11110    
  1011                 1             10 101   000001        01   00   
   1010 1                              11001      1 1        101  10  
      110101011                          0 101                 11110  
            110000011                                                 
                      111                                             
______________________________________________________________________
______________________________________________________________________

  Title:                  Authentium Command On Demand ActiveX Control
                          Buffer Overflow
  Severity:               High
  Advisory ID:            NSOADV-2010-006
  Found Date:             15.02.2010 
  Date Reported:          22.02.2010
  Release Date:           04.03.2010
  Author:                 Nikolas Sotiriu
  Website:                http://sotiriu.de
  Twitter:                http://twitter.com/nsoresearch
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2009-006.txt
  Vendor:                 Authentium (http://www.authentium.com/)
  Affected Products:      Authentium Command On Demand Online Scan
                          (http://www.commandondemand.com/)
  Affected Component:     CSS Web Installer ActiveX V.1.4.9508.605
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           No Patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
===========

Authentium Command On Demand is a highly-effective, totally free virus
scanner. Command on Demand scans for more than half a million Internet
threats, using definition files that are updated daily

(Product description from Website)



Description:
============

Remote exploitation of a buffer overflow vulnerability in Authentium
Command On Demand Online scanner service could allow an attacker to
execute arbitrary code within the security context of the targeted user. 

The affected function is "InstallProduct1". The functions 
"InstallProduct" and "InstallProduct2" seems to be also vulnerable.

Name:             CSS Web Installer Class
Vendor:           Authentium, Inc.
Type:             ActiveX-Control
Version:          1.4.9508.605
Prog ID:          CSSWEBLib.Installer
GUID:             {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File:             cssweb.dll
Folder:           C:\WINDOWS\Downloaded Program Files\
Safe for Script:  True
Safe for Init: 	  True
IObjectSafety: 	  False



Proof of Concept :
==================

http://sotiriu.de/software/NSOPOC-2010-006.zip



Solution: 
=========
Product is no longer supported.

Disable the vulnerable ActiveX Control by setting the kill bit for the
following CLSID:

{6CCE3920-3183-4B3D-808A-B12EB769DE12}


Save the following text as a .REG file and imported to set the kill bit
for this control:

+--------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}]
"Compatibility Flags"=dword:00000400
+--------------------------------------  

More information about how to set the kill bit is available in Microsoft
Support Document 240797. (http://support.microsoft.com/kb/240797)



Disclosure Timeline (YYYY/MM/DD):
=================================

2010.02.15: Vulnerability found
2010.02.22: Initial contact per Online forms
            [-] No Response
2010.03.01: Seconad contact per Online forms
2010.03.01: Initial vendor response 
2010.03.02: Ask for a direct contact, a PGP Key and send the Disclosure
            Policy to vendor.
2010.03.02: Got an Email address
2010.03.02: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.03.11) to Vendor
2010.03.03: Vendor response that the product is no longer supported and
            the domain will be taken down.
2010.03.04: Domain is down
2010.03.04: Release of this Advisory