DATEV ActiveX Control remote command execution

2010-03-02 / 2012-09-09
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other

______________________________________________________________________ NSOADV-2010-003: DATEV ActiveX Control remote command execution ______________________________________________________________________ __________________________________________________ Title: DATEV DVBSExeCall ActiveX Control remote command execution Severity: Critical Advisory ID: NSOADV-2010-003 CVE Number: CVE-2010-0689 Found Date: 11.01.2010 Date Reported: 28.01.2010 Release Date: 25.02.2010 Author: Nikolas Sotiriu Mail: nso-research at Website: Twitter: Advisory-URL: Vendor: DATEV ( Affected Products: DATEV Base System (Grundpaket Basis) Affected Component: DVBSExeCall Control ActiveX Control V. Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: ============ During the installation of the DATEV Base System (Grundpaket Basis) an ActiveX Control will be installed (DVBSExeCall.ocx), in which the function "ExecuteExe" is vulnerable to a command execution bug. Name: ActiveX-Control zum ffnen von LEXinform und der InfoDB Vendor: DATEV eG Type: ActiveX-Steuerelement Version: GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC} File: DVBSExeCall.ocx Folder: C:\DATEV\PROGRAMM\HLPDVBSSafe for Script: True Safe for Init: True IObjectSafety: False NOTE: The affected ActiveX Control will be installed by any DATEV Software, so each system with a DATEV installation is vulnerable. Proof of Concept : ================== Weaponized PoC demonstration video: +---------------------------------- Solution: ========= DATEV Advisory +------------- (German) Service-Release Paket V. 1.0 +--------------------------- Disclosure Timeline (YYYY/MM/DD): ================================= 2010.01.11: Vulnerability found 2010.01.25: Initial contact per Online forms 2010.01.26: Initial vendor response 2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor. [-] No Response 2010.01.28: Ask if vendor received my last email. 2010.01.28: Vendor is unable to use PGP. 2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.11) to Vendor 2010.01.29: Vendor acknowledges the reception of the advisory and start to develop a patch. 2010.02.02: Patch is finished. Vendor wishes to delay the release to the 2010.02.25. 2010.02.02: Changed release date to 2010.02.25. 2010.02.03: Patch is published 2010.02.25: Release of this Advisory


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top