TSRT-07-03: America Online SuperBuddy ActiveX Control Code Execution
http://www.tippingpoint.com/security/advisories/TSRT-07-03.html
March 30, 2007

-- CVE ID:
CVE-2006-5820

-- Affected Vendor:
America Online

-- Affected Products:
America Online 9.0 Security Edition

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since November 6, 2006 by Digital Vaccine protection
filter ID 4553. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of America Online with Microsoft Internet
Explorer. User interaction is required to exploit this vulnerability in
that the target must visit a malicious page.

The specific flaw exists in the LinkSBIcons() method exposed through
the ActiveX control 'Sb.SuperBuddy.1' with the following CLSID:

    189504B8-50D1-4AA8-B4D6-95C8F58A6414

The affected control implements the IObjectSafety interface and
therefore allows a web site to invoke the control under default
Internet Explorer settings without any further user interaction.  The
vulnerable method is defined as:

    int LinkSBIcons(IUnknown *interface)

As the method accepts an unchecked user-controlled value specifying a
pointer to an object, a subsequent function dereference is completely
under attacker control. This can easily lead to arbitrary code
execution under the context of the logged in user.

It is important to note that many PCs ship with this vulnerable
component by default, including Dell and Hewlett-Packard among others.
Since AOL is addressing this issue as an update through their internet
service, many users are left without any recourse for mitigation.
Concerned users can specify a "kill bit" for the affected control to
prevent it from loading within Internet Explorer. To do so, create the
following registry key:

    HKEY_LOCAL_MACHINE\
        SOFTWARE\
        Microsoft\
        Internet Explorer\
        ActiveX Compatibility\
        {189504B8-50D1-4AA8-B4D6-95C8F58A6414}

With the value 'Compatibility Flags' set to 0x400.

-- Vendor Response:
America Online has issued an update to correct this vulnerability as of
3/29/2007. The update is automatically applied the next time users log
into the AOL service.

-- Disclosure Timeline:
2006.07.18 - Vulnerability reported to vendor
2006.11.06 - Digital Vaccine released to TippingPoint customers
2007.03.30 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, Tipping Point Security
Research Team.