DATEV ActiveX Control remote command execution

______________________________________________________________________

NSOADV-2010-003: DATEV ActiveX Control remote command execution
______________________________________________________________________
__________________________________________________

Title:                  DATEV DVBSExeCall ActiveX Control remote
                          command execution
  Severity:               Critical
  Advisory ID:            NSOADV-2010-003
  CVE Number:             CVE-2010-0689
  Found Date:             11.01.2010
  Date Reported:          28.01.2010
  Release Date:           25.02.2010
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
  Website:                http://sotiriu.de/
  Twitter:                http://twitter.com/nsoresearch
  Advisory-URL:           http://sotiriu.de/adv/NSOADV-2010-003.txt
  Vendor:                 DATEV (http://www.datev.de/)
  Affected Products:      DATEV Base System (Grundpaket Basis)
  Affected Component:     DVBSExeCall Control ActiveX Control V.1.0.0.1
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Disclosure Policy:      http://sotiriu.de/policy.html
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy

Background:
===========

DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.

Description:
============

During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function "ExecuteExe" is vulnerable to a command execution bug.

Name:             ActiveX-Control zum ffnen von LEXinform und der InfoDB
Vendor:           DATEV eG
Type:             ActiveX-Steuerelement
Version:          1.0.0.1
GUID:             {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File:             DVBSExeCall.ocx
Folder:           C:\DATEV\PROGRAMM\HLPDVBSSafe for Script:  True
Safe for Init:    True
IObjectSafety:    False

NOTE: The affected ActiveX Control will be installed by any DATEV
      Software, so each system with a DATEV installation is vulnerable.

Proof of Concept :
==================

Weaponized PoC demonstration video:
+----------------------------------
http://sotiriu.de/demos/videos/nso-2010-003.html

Solution:
=========

DATEV Advisory
+-------------
http://www.datev.de/info-db/1080162 (German)

Service-Release Paket V. 1.0
+---------------------------
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550

Disclosure Timeline (YYYY/MM/DD):
=================================

2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
            [-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
            to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release to the
            2010.02.25.
2010.02.02: Changed release date to 2010.02.25.
2010.02.03: Patch is published
2010.02.25: Release of this Advisory