[VIM] Morovia Barcode ActiveX 3.6.2 (MrvBarCd.dll) Insecure Method Exploit
George A. Theall
theall at tenablesecurity.com
Tue Mar 17 14:36:22 UTC 2009
On Mar 17, 2009, at 9:14 AM, George A. Theall wrote:
> FYI, milw0rm 3899 and 8208 look like they are for the same
> underlying issue, albeit involving different versions of the software.
On further investigation, they are different. The earlier advisory
from Shinnai involves overwriting arbitrary files, such as "c:\windows
\system_.ini". The more recent one, from Cyber-Zone, involves creating
arbitrary files, although I'm not sure if there's a way for an
attacker to control the content of the file.
Btw, Morovia fixed the earlier issue in January 2009 by releasing
version 2.6.0 (search for "Bug 552" in the release notes, at http://mdn.morovia.com/manuals/bax3/Barcode-ActiveX-Release-Notes.htm)
. There are two affected methods -- 'Save', which Shinnai reported, as
well as 'ExportImage'.
Using Cyber-Zone's PoC, both methods still allow you to create
arbitrary files in the current version (3.6.2).
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list