AOL 9.5 Phobos ActiveX Control Import Method Stack-Based Buffer Overflow Vulnerability

A stack-based buffer overflow vulnerability has been identified in the AOL 9.5 desktop application, specifically within the Phobos.dll ActiveX control. This vulnerability arises when the Import() method of the Phobos.Playlist COM object is supplied with an excessively long string, allowing remote attackers to execute arbitrary code in the context of the user. However, exploitation is only possible when the malicious HTML file is opened locally, as the ActiveX control is not marked safe for scripting or initialization.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the user.

Reproduction

The vulnerability can be reproduced by creating an HTML file that includes an object element referencing the Phobos.Playlist ActiveX control. The Import() method can then be called with a string argument that exceeds the buffer's capacity, causing a stack-based buffer overflow. This can be automated with a Metasploit module that generates the exploit by spraying the heap and executing shellcode.

Remediation

Users can set the kill bit for the CLSID A105BD70-BF56-4D10-BC91-41C88321F47C to prevent the ActiveX control from being instantiated.