Oracle AutoVue 20.0.1 AutoVueX ActiveX Control SaveViewStateToFile Remote
File Creation / Overwrite Vulnerability
tested against: Internet Explorer 8
Microsoft Windows Server 2003 r2 sp2
download url of a test version:
http://www.oracle.com/technetwork/apps-tech/autovue/index.html
file:
AutoVueDemo2001.zip
Background:
the mentioned program installs an ActiveX control with the following
settings:
ProgID: AUTOVUEX.AutoVueXCtrl.1
CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
Safe for initialization (registry): true
Safe for scripting (registry): true
This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.
Vulnerability:
The mentioned class contains the vulnerable SaveViewStateToFile() method, from
the typelib:
...
/* DISPID=116 */
/* VT_BOOL [11] */
function SaveViewStateToFile(
/* VT_BSTR [8] */ $sFileName
)
{
}
...
which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations.
It was experimented that the content of theese files can be
partially controlled by passing a remote file to the
RestoreViewStateFromFile() method.
The resulting file will look like this:
0 : 6b 00 00 00 07 00 41 56 31 37 5f 32 00 0a 00 56 [k.....AV17_2...V]
10 : 69 65 77 53 74 61 74 65 00 ff ff ff ff 00 00 01 [iewState........]
20 : 00 00 00 01 00 00 00 6f 8f 96 d8 ca 22 71 c1 86 [.......o...."q..]
30 : f0 ca b7 56 a0 b0 e0 00 00 00 00 00 00 00 00 41 [...V...........A] <----- controlled section (AAAA)
40 : 41 41 41 59 fb bb 60 86 f0 ca b7 56 a0 b0 60 00 [AAAY..`....V..`.]
50 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
60 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [...............]
poc, which overwrites boot.ini:
http://retrogod.altervista.org/9sg_autovueiii.zip
Mirror: http://www.exploit-db.com/sploits/9sg_autovueiii.zip