-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                          ESB-2006.0445 -- [Win]
      eBay Enhanced Picture Services ActiveX control buffer overflow
                                7 July 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              eBay Enhanced Picture Services ActiveX control
                        versions 1.0.3.36 and prior
Publisher:            US-CERT
Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-1176

Original Bulletin:    http://www.kb.cert.org/vuls/id/597721

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#597721
eBay Enhanced Picture Services ActiveX control buffer overflow

Overview

	The eBay Enhanced Picture Services (EPUImageControl Class) ActiveX
	control contains a buffer overflow vulnerability. This may allow a
	remote, unauthenticated attacker to execute arbitrary code on a
	vulnerable system.

I. Description

	ActiveX

	ActiveX is a technology that allows programmers to create reusable
	software components that can be incorporated into applications to
	extend their functionality. Internet Explorer is a common Windows
	application that makes use of ActiveX controls.

	eBay Enhanced Picture Services

	The eBay Enhanced Picture Services control is an ActiveX control that
	allows a seller to upload pictures to an auction. It is provided by
	the file EUPWALcontrol.dll and the COM object is named "EPUImageControl
	Class."

	The eBay Enhanced Picture Services control is available in the following
	eBay products:

	* eBay.com: Sell Your Item (SYI), Setup & Test eBay Enhanced Picture
	  Services, Picture Manager Enhanced Uploader
	* CARad.com: Add Vehicle
	* Older, unsupported versions of eBay SDK. The control does not ship in
	  supported versions of the SDK.

	Sellers who have installed the eBay ActiveX control on Windows (98,
	ME, NT, 2000, XP, 2003, etc.) are vulnerable.

	eBay has provided the following steps to determine if the Enhanced
	Picture Services ActiveX control is installed:

	  1. Launch Internet Explorer
	  2. Select Tools -> Internet Options
	  3. Click "Settings..." button in the "Temporary Internet files" group
	  4. Click on "View Objects..."
	  5. This will launch Windows Explorer. In the Program File column you
	     should see "EPUImageControl Class" . If you don't see this file, then the
	     ActiveX is not installed. Otherwise right click on name, select the Version
	     tab to see the ActiveX version

	The Problem

	The eBay Enhanced Picture Services ActiveX control version 1.0.3.36
	and earlier contain a buffer overflow vulnerability.

II. Impact

	By convincing a user to view a specially crafted HTML document (e.g.,
	a web page or an HTML email message or attachment), an attacker may
	be able to execute arbitrary code with the privileges of the user.
	The attacker could also cause Internet Explorer (or the program using
	the WebBrowser control) to crash.

III. Solution

	Upgrade or patch

	This vulnerability is addressed in version 1.0.3.48 and later of the
	eBay Enhanced Picture Services ActiveX control. According to eBay:

	    Sellers will automatically be prompted to update if they go
	    through any eBay flow that utilizes the ActiveX control,
	    including, but not limited to:
	      o In My eBay users will be prompted to update on the "Setup & Test
	        eBay Enhanced Picture Services" page when selecting eBay Enhanced
	        Picture Services under "My Account > Preferences > Sell Your Item
	        Picture Preference"
	      o In My eBay Picture Manager and in all versions of SYI
	        (Sell Your Item), Picture Manager subscribers will receive
	        the update when clicking Add Pictures and selecting Enhanced
	        Uploader if the Enhanced Uploader is not already the user default.
	      o On CARad.com, users will receive the update when clicking
	        the Picture Manager within the "Add Vehicle" flow.
	      o The eBay Developer site will advise eBay SDK developers
	        on how to update old, unsupported versions of the SDK that
	        contain the ActiveX Control.

	Remove the eBay Enhanced Picture Services ActiveX control

	The eBay Enhanced Picture Services ActiveX control can be removed by
	taking the following steps:

	   1. Launch Internet Explorer
	   2. Select Tools -> Internet Options
	   3. Click the "Settings..." button in the "Temporary Internet files" group
	   4. Click on "View Objects..."
	   5. This will launch Windows Explorer. In the Program File column
	      you should see "EPUImageControl Class".
	   6. Right click and "Remove" the ActiveX control.
	   7. Return to the Internet Options, close the "Settings" window.
	   8. Under "Internet Options", "Temporary Internet files", click
	      "Delete Files" to delete any locally cached copies of the ActiveX control.

	Disable ActiveX

	Disabling ActiveX controls in the Internet Zone (or any zone used by
	an attacker) appears to prevent exploitation of this vulnerability.
	Instructions for disabling ActiveX in the Internet Zone can be found in 
	the "Securing Your Web Browser" document and the Malicious Web Scripts FAQ.

	Disable the eBay Enhanced Picture Services ActiveX control

	The eBay Enhanced Picture Services ActiveX control can be disabled
	by setting the kill bit for the following CLSID:

	  {4C39376E-FA9D-4349-BACC-D305C1750EF3}

	More information about how to set the kill bit is available in Microsoft
	Support Document 240797.  http://support.microsoft.com/kb/240797

Systems Affected

	Vendor    Status      Date Updated
	eBay      Vulnerable  6-Jul-2006

References

	http://pages.ebay.com/picture_manager/
	http://www.microsoft.com/com/default.mspx
	http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer

Credit

	This vulnerability was reported by Will Dormann

	This document was written by Will Dormann.
	Other Information
	Date Public    06/21/2006
	Date First Published    07/06/2006 02:07:27 PM
	Date Last Updated    07/06/2006
	CERT Advisory 
	CVE Name    CVE-2006-1176
	Metric    2.53
	Document Revision    22

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRK4C1ih9+71yA2DNAQKqVAP/YPk6dc5/GB0cFEqdE5TFLEuoV2FUPdPq
6PGLMxVgs9IYf5fHw5QsZknGONMuU7yCCIi2GszJ7NsOIBKF4bvnQKeo2KLGcyHh
cVxxeaD4ItAcXtQ8YZ+Wdf2kfxpyiPpAxukYaL8XIDZucHSZWoHYY+1UxF7IyfdG
yHiSquIpW2M=
=3q0m
-----END PGP SIGNATURE-----