NSOADV-2010-003: DATEV ActiveX Control remote command execution
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
Title: DATEV DVBSExeCall ActiveX Control remote
command execution
Severity: Critical
Advisory ID: NSOADV-2010-003
CVE Number: CVE-2010-0689
Found Date: 11.01.2010
Date Reported: 28.01.2010
Release Date: 25.02.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt
Vendor: DATEV (http://www.datev.de/)
Affected Products: DATEV Base System (Grundpaket Basis)
Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.
The affected Base System has to be installed on all systems that
need DATEV Software.
During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function "ExecuteExe" is vulnerable to a command execution bug.
Name: ActiveX-Control zum Γffnen von LEXinform und der InfoDB
Vendor: DATEV eG
Type: ActiveX-Steuerelement
Version: 1.0.0.1
GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File: DVBSExeCall.ocx
Folder: C:\DATEV\PROGRAMM\HLPDVBS\
Safe for Script: True
Safe for Init: True
IObjectSafety: False
NOTE: The affected ActiveX Control will be installed by any DATEV
Software, so each system with a DATEV installation is vulnerable.
Weaponized PoC demonstration video:
Β±---------------------------------
http://sotiriu.de/demos/videos/nso-2010-003.html
DATEV Advisory
Β±------------
http://www.datev.de/info-db/1080162 (German)
Service-Release Paket V. 1.0
Β±--------------------------
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550
2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
[-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release to the
2010.02.25.
2010.02.02: Changed release date to 2010.02.25.
2010.02.03: Patch is published
2010.02.25: Release of this Advisory