The DATEV Active-X control remote command execution

2010.02.28
Credit: Nikolas Sotiriu
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

______________________________________________________________________ NSOADV-2010-003: DATEV ActiveX Control remote command execution ______________________________________________________________________ ______________________________________________________________________ Title: DATEV DVBSExeCall ActiveX Control remote command execution Severity: Critical Advisory ID: NSOADV-2010-003 CVE Number: CVE-2010-0689 Found Date: 11.01.2010 Date Reported: 28.01.2010 Release Date: 25.02.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt Vendor: DATEV (http://www.datev.de/) Affected Products: DATEV Base System (Grundpaket Basis) Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: ============ During the installation of the DATEV Base System (Grundpaket Basis) an ActiveX Control will be installed (DVBSExeCall.ocx), in which the function "ExecuteExe" is vulnerable to a command execution bug. Name: ActiveX-Control zum ffnen von LEXinform und der InfoDB Vendor: DATEV eG Type: ActiveX-Steuerelement Version: 1.0.0.1 GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC} File: DVBSExeCall.ocx Folder: C:DATEVPROGRAMMHLPDVBS Safe for Script: True Safe for Init: True IObjectSafety: False NOTE: The affected ActiveX Control will be installed by any DATEV Software, so each system with a DATEV installation is vulnerable. Proof of Concept : ================== Weaponized PoC demonstration video: +---------------------------------- http://sotiriu.de/demos/videos/nso-2010-003.html Solution: ========= DATEV Advisory +------------- http://www.datev.de/info-db/1080162 (German) Service-Release Paket V. 1.0 +--------------------------- http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550 Disclosure Timeline (YYYY/MM/DD): ================================= 2010.01.11: Vulnerability found 2010.01.25: Initial contact per Online forms 2010.01.26: Initial vendor response 2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor. [-] No Response 2010.01.28: Ask if vendor received my last email. 2010.01.28: Vendor is unable to use PGP. 2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.11) to Vendor 2010.01.29: Vendor acknowledges the reception of the advisory and start to develop a patch. 2010.02.02: Patch is finished. Vendor wishes to delay the release to the 2010.02.25. 2010.02.02: Changed release date to 2010.02.25. 2010.02.03: Patch is published 2010.02.25: Release of this Advisory


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top