vuln.sg Vulnerability Research Advisory

Data Dynamics ActiveReports ARViewer2 ActiveX Control Insecure Methods by Tan Chew Keong Release Date: 2008-09-17    [en] [jp] Summary Multiple insecure methods were found within the ARViewer2 ActiveX control of Data Dynamics ActiveReport. When exploited, these vulnerabilities allow an anonymous attacker to overwrite aribtrary files on a user's system and potentially to execute arbitrary code on an affected system. Successful exploit requires that the user is tricked into visiting a malicious website. Tested Versions Data Dynamics ActiveReport Professional Edition Build 2.5.0.1314 (ARView2.ocx version 2.5.0.1314) Details Multiple insecure methods were found within the ARViewer2 ActiveX control (DDActiveReportsViewer2.ARViewer2, CLSID:8569D715-FF88-44BA-8D1D-AD3E59543DDE, ARVIEW2.OCX) of Data Dynamics ActiveReport. When exploited, these vulnerabilities allow an anonymous attacker to overwrite aribtrary files on a user's system and potentially to execute arbitrary code on an affected system. Successful exploit requires that the user is tricked into visiting a malicious website. The purpose of this ActiveX control is allow a website to display a report file to the user within the browser, and to allow the user to print the report. This ActiveX control is marked "safe for scripting" and "safe for initializing from persistent data". This means that the control can be instantiated from any potentially malicious website. By instantiating the control and then calling the Pages.Save() method, the PrintReport() method, or the Canvas.Save() method, a malicious website can overwrite arbitrary files on a user's system with the user's privilege. The Canvas.Save() method can be further exploited to allow the attacker to write known text into the output file. By writing a specially-crafted file into the user's startup folder, it is possible for an attacker to run arbitrary code on the user's system when the user next logs on. Below is the POC exploit that can be used to confirm this vulnerability. This exploit will create "savepage.txt" and "printreport.txt" on the user's Desktop, and create a specially-crafted file in the user's Startup Folder. Note that this specially-crafted file will run calc.exe when the user logs on. This exploit has been successfully tested on WinXP. Please view the instructions under the POC / Test Code section below for instructions of how to use this POC. POC REMOVED   POC / Test Code Example exploit to demonstrate the vulnerabilities were provided to the vendor. Patch / Workaround Do not visit untrusted websites if you have this control installed on your system. Disclosure Timeline 2008-08-10 - Vulnerability Discovered. 2008-08-17 - Initial Vendor Notification via Email and Online Form. 2008-08-18 - Initial Vendor Reply. 2008-08-18 - Vulnerability Details Sent to Vendor. 2008-08-20 - Received reply that the vulnerability will be fixed in a future version, but no estimated release date can be given. 2008-08-20 - Reminded vendor that since this is a vulnerability, it should be fixed with a higher priority. 2008-08-29 - Vendor reminder sent. 2008-09-02 - Received reply that release date is still undetermined. 2008-09-10 - Vendor reminder sent. (no reply) 2008-09-17 - Public Release.

Contact

For further enquries, comments, suggestions or bug reports, simply email them to