Critical Vulnerability Information Vulnerability Name: ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow Vulnerability Description: A stack-based buffer overflow vulnerability exists in the "Import Users from File" feature of ActiveFax Server, caused by improper use of the function while parsing CSV-formatted files. This module creates an .exp file that must be imported using the default character set 'ECMA-94 / Latin 1 (ISO 8859)'. Affected Versions: ActFax Server 4.32 on Windows XP SP3 and Windows 7 SP1 Exploitation Conditions: When ActiveFax runs as a service, it executes with SYSTEM privileges. Discoverer & Contributors: - Vulnerability Discovery and PoC: Craig Freyman - Metasploit Module: Brandon Perry, juan vazquez References: - OSVDB: 85175 - EDB: 20915 - URL: http://www.pwnmag3.com/2012/08/actfax-local-privilege-escalation.html Default Options: - EXITFUNC: thread - Platform: win - Payload Space: 4600 - BadChars: "\x00" - DisableNops: true Targets: - ActFax 4.32 / Windows XP SP3 EN / Windows 7 SP1 - Ret: 0x0401b22 (from ActFax.exe) - Offset: 512 Privilege Escalation: true Disclosure Date: 2012-08-28 Reliability, Stability, Side Effects: Unknown