by Tan Chew Keong
Release Date: 2008-09-17
Multiple insecure methods were found within the ARViewer2 ActiveX control of Data Dynamics ActiveReport. When exploited, these vulnerabilities allow an anonymous attacker to overwrite aribtrary files on a user's system and potentially to execute arbitrary code on an affected system. Successful exploit requires that the user is tricked into visiting a malicious website.
Multiple insecure methods were found within the ARViewer2 ActiveX control (DDActiveReportsViewer2.ARViewer2, CLSID:8569D715-FF88-44BA-8D1D-AD3E59543DDE, ARVIEW2.OCX) of Data Dynamics ActiveReport. When exploited, these vulnerabilities allow an anonymous attacker to overwrite aribtrary files on a user's system and potentially to execute arbitrary code on an affected system. Successful exploit requires that the user is tricked into visiting a malicious website.
The purpose of this ActiveX control is allow a website to display a report file to the user within the browser, and to allow the user to print the report. This ActiveX control is marked "safe for scripting" and "safe for initializing from persistent data". This means that the control can be instantiated from any potentially malicious website.
By instantiating the control and then calling the Pages.Save() method, the PrintReport() method, or the Canvas.Save() method, a malicious website can overwrite arbitrary files on a user's system with the user's privilege.
The Canvas.Save() method can be further exploited to allow the attacker to write known text into the output file. By writing a specially-crafted file into the user's startup folder, it is possible for an attacker to run arbitrary code on the user's system when the user next logs on.
Below is the POC exploit that can be used to confirm this vulnerability. This exploit will create "savepage.txt" and "printreport.txt" on the user's Desktop, and create a specially-crafted file in the user's Startup Folder. Note that this specially-crafted file will run calc.exe when the user logs on. This exploit has been successfully tested on WinXP.
Please view the instructions under the POC / Test Code section below for instructions of how to use this POC.
POC / Test Code
Example exploit to demonstrate the vulnerabilities were provided to the vendor.
Patch / Workaround
Do not visit untrusted websites if you have this control installed on your system.
2008-08-10 - Vulnerability Discovered.
2008-08-17 - Initial Vendor Notification via Email and Online Form.
2008-08-18 - Initial Vendor Reply.
2008-08-18 - Vulnerability Details Sent to Vendor.
2008-08-20 - Received reply that the vulnerability will be fixed in a future version, but no estimated release date can be given.
2008-08-20 - Reminded vendor that since this is a vulnerability, it should be fixed with a higher priority.
2008-08-29 - Vendor reminder sent.
2008-09-02 - Received reply that release date is still undetermined.
2008-09-10 - Vendor reminder sent. (no reply)
2008-09-17 - Public Release.