<div>Title: SignKorea's ActiveX Buffer Overflow Vulnerability</div>
<p>Version: SKCommAX ActiveX Control Module 7,2,0,2<br> SKCommAX ActiveX Control Module(3280) 6,6,0,1</p>
<p>Discoverer: PARK, GYU TAE (<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:saintlinu@null2root.org" target="_blank">saintlinu@null2root.org</a>)</p>
<p>Advisory No.: NRVA07-01</p>
<p>Critical: High critical</p>
<p>Impact: Gain remote user's privilege</p>
<p>Where: From remote</p>
<p>Operating System: Windows Only</p>
<p>Test Client System: Windows XP Service Pack 2 in KOREAN (Patched)<br> Windows XP Service Pack 2 in ENGLISH (Patched)</p>
<p>Solution Vendor: SignKorea, KOSCOM</p>
<p>Solution: Patched</p>
<p>Duration of patch: 6 Day(s) - don't ask me about this I don't know exactly</p>
<p>Notice: 17. 03. 2007 Initiate notified KISA(Korea Information Security Agency)<br> 21. 03. 2007 Vendor response and confirmed vulnerability<br> 23. 03. 2007 Patched by vendor <br> 26. 03. 2007 Public disclosure
</p>
<p>Description:</p>
<p>The SKCommAX's ActiveX is common certification solution on the net<br>If citizen want to use Internet banking, Stock and so on like Online<br>banking services in Korea<br>then must be use PKI certification program like this ActiveX.
</p>
<p>The SKCommAX's activex has one remote vulnerability (maybe)<br>If uses HTML file which was crafted by this vulnerability then you'll get<br>somebody's remote privilege.</p>
<p>See following detail describe:</p>
<p>SKCommAX's activex has DownloadCertificateExt() function. this function<br>requests two arguments(pszUserID and CertType).<br>This function didn't check pszUserID argument whether it's correct or not.<br>It's a pretty simple buffer overflow even Windows Environment.
</p>
<p>EXPLOIT NOT INCLUDED HERE</p>
<p>You don't need exploit written by me bcoz you already known that </p>
<p><br>Greet: <a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:Null@Root" target="_blank">Null@Root</a> Group, BugTruck Mailling and Information Security Team in NCSoft.</p>-- <br>Make Our Internet Secure With H4ck3rz