Multiple stack-based buffer overflows in the KeyHelp.KeyCtrl.1 ActiveX control in KeyHelp.ocx 1.2.312 in KeyWorks KeyHelp Module (aka the HTML Help component), as used in EMC Documentum ApplicationXtender Desktop 5.4; EMC Captiva Quickscan Pro 4.6 SP1; GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; GE Intelligent Platforms Proficy HMI/SCADA iFIX 5.0 and 5.1; GE Intelligent Platforms Proficy Pulse 1.0; GE Intelligent Platforms Proficy Batch Execution 5.6; GE Intelligent Platforms SI7 I/O Driver 7.20 through 7.42; and other products, allow remote attackers to execute arbitrary code via a long string in the second argument to the (1) JumpMappedID or (2) JumpURL method.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.vupen.com/english/advisories/2009/2795 | vdb entry |
| http://www.vupen.com/english/advisories/2009/2793 | vdb entry |
| http://www.securityfocus.com/bid/36546 | vdb entry exploit |
| http://support.ge-ip.com/support/resources/sites/GE_FANUC_SUPPORT/content/live/KB/14000/KB14863/en_US/GEIP12-04%20Security%20Advisory%20-%20Proficy%20HTML%20Help.pdf | vendor advisory |
| http://secunia.com/advisories/36914 | third party advisory vendor advisory |
| http://secunia.com/advisories/36905 | third party advisory vendor advisory |
| http://www.us-cert.gov/control_systems/pdf/ICSA-12-131-02.pdf | us government resource |
| http://retrogod.altervista.org/9sg_emc_keyhelp.html | exploit |