HP LoadRunner is a software performance testing solution. HP LoadRunner includes the
**lrFileIOService** ActiveX control.
HP LoadRunner before 11.52 is vulnerable to remote code execution. The
**lrFileIOService** ActiveX control exposes the
**WriteFileBinary** method which accepts a parameter named data without validating the value. A remote attacker who persuades a vulnerable user to visit a malicious web page could execute arbitrary code in the context of the user.
Upgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin HPSBGN02905 SSRT101083.
This exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).
The user must open the exploit in Internet Explorer 8 or 9 on the target.