______________________________________________________________________ NSOADV-2010-003: DATEV ActiveX Control remote command execution ______________________________________________________________________ __________________________________________________ Title: DATEV DVBSExeCall ActiveX Control remote command execution Severity: Critical Advisory ID: NSOADV-2010-003 CVE Number: CVE-2010-0689 Found Date: 11.01.2010 Date Reported: 28.01.2010 Release Date: 25.02.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt Vendor: DATEV (http://www.datev.de/) Affected Products: DATEV Base System (Grundpaket Basis) Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: ============ During the installation of the DATEV Base System (Grundpaket Basis) an ActiveX Control will be installed (DVBSExeCall.ocx), in which the function "ExecuteExe" is vulnerable to a command execution bug. Name: ActiveX-Control zum ffnen von LEXinform und der InfoDB Vendor: DATEV eG Type: ActiveX-Steuerelement Version: 1.0.0.1 GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC} File: DVBSExeCall.ocx Folder: C:\DATEV\PROGRAMM\HLPDVBSSafe for Script: True Safe for Init: True IObjectSafety: False NOTE: The affected ActiveX Control will be installed by any DATEV Software, so each system with a DATEV installation is vulnerable. Proof of Concept : ================== Weaponized PoC demonstration video: +---------------------------------- http://sotiriu.de/demos/videos/nso-2010-003.html Solution: ========= DATEV Advisory +------------- http://www.datev.de/info-db/1080162 (German) Service-Release Paket V. 1.0 +--------------------------- http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550 Disclosure Timeline (YYYY/MM/DD): ================================= 2010.01.11: Vulnerability found 2010.01.25: Initial contact per Online forms 2010.01.26: Initial vendor response 2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor. [-] No Response 2010.01.28: Ask if vendor received my last email. 2010.01.28: Vendor is unable to use PGP. 2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.11) to Vendor 2010.01.29: Vendor acknowledges the reception of the advisory and start to develop a patch. 2010.02.02: Patch is finished. Vendor wishes to delay the release to the 2010.02.25. 2010.02.02: Changed release date to 2010.02.25. 2010.02.03: Patch is published 2010.02.25: Release of this Advisory