A vulnerability and a security issue have been discovered in SopCast SopPlayer, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a user's system.

1) A boundary error in the WebPlayer ActiveX Control (sopocx.ocx) when handling the "ChannelName" property can be exploited to cause a stack-based buffer overflow via a specially crafted "sop://" URL string.

Successful exploitation of this vulnerability allows execution of arbitrary code.

2) The application sets insecure file system permissions on the Diagnose.exe executable within the installation directory, which can be exploited to overwrite the file.

Successful exploitation of this vulnerability allows execution of arbitrary code with privileges of a user who performs the "Diagnose client and service" action.

The vulnerability and the security issue are confirmed in version 3.2.9 and 3.4.7. Other versions may also be affected.

Solution
Set the kill-bit for the affected ActiveX control. Restrict access to trusted users only.

Provided and/or discovered by
1) Sud0
2) Gjoko Krstic, Zero Science Lab

Changelog
Further details available in Customer Area

Original Advisory
Sud0:
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-059-sopcast-unicode-bof-remote-exploit/

Zero Science Lab (ZSL-2011-5062):
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5062.php

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area