SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

DATEV ActiveX Control remote command execution


Arrow  SecurityAlert : 7060
Arrow  CVE : CVE-2010-0689
Arrow  CWE : CWE-Other
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Victim interaction required : No
Arrow  Exploit Available : Yes
Arrow  Credit : NSO Research
Arrow  Published : 02.03.2010

Arrow  Affected Software : datev:base_system



Arrow  Advisory Content :  

______________________________________________________________________

NSOADV-2010-003: DATEV ActiveX Control remote command execution
______________________________________________________________________
__________________________________________________

Title: DATEV DVBSExeCall ActiveX Control remote
command execution
Severity: Critical
Advisory ID: NSOADV-2010-003
CVE Number: CVE-2010-0689
Found Date: 11.01.2010
Date Reported: 28.01.2010
Release Date: 25.02.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt
Vendor: DATEV (http://www.datev.de/)
Affected Products: DATEV Base System (Grundpaket Basis)
Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy

Background:
===========

DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.

Description:
============

During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function "ExecuteExe" is vulnerable to a command execution bug.

Name: ActiveX-Control zum Öffnen von LEXinform und der InfoDB
Vendor: DATEV eG
Type: ActiveX-Steuerelement
Version: 1.0.0.1
GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File: DVBSExeCall.ocx
Folder: C:\DATEV\PROGRAMM\HLPDVBSSafe for Script: True
Safe for Init: True
IObjectSafety: False

NOTE: The affected ActiveX Control will be installed by any DATEV
Software, so each system with a DATEV installation is vulnerable.

Proof of Concept :
==================

Weaponized PoC demonstration video:
+----------------------------------
http://sotiriu.de/demos/videos/nso-2010-003.html

Solution:
=========

DATEV Advisory
+-------------
http://www.datev.de/info-db/1080162 (German)

Service-Release Paket V. 1.0
+---------------------------
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550

Disclosure Timeline (YYYY/MM/DD):
=================================

2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
[-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release to the
2010.02.25.
2010.02.02: Changed release date to 2010.02.25.
2010.02.03: Patch is published
2010.02.25: Release of this Advisory



Arrow  References :

http://www.securityfocus.com/bid/38415
http://www.securityfocus.com/archive/1/archive/1/509743/100/0/threaded
http://www.datev.de/info-db/1080162
http://sotiriu.de/demos/videos/nso-2010-003.html
http://sotiriu.de/adv/NSOADV-2010-003.txt
http://secunia.com/advisories/38716




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.