Microsoft Rich Textbox ActiveX control SaveFile vulnerability

2008-10-07T00:00:00
ID SAINT:7863264A1CB954FB96BDBE851CE17C52
Type saint
Reporter SAINT Corporation
Modified 2008-10-07T00:00:00

Description

Added: 10/07/2008
CVE: CVE-2008-0237
BID: 27201
OSVDB: 40234

Background

Microsoft Rich Textbox is an ActiveX control which comes with Visual Basic and allows creation of formatted text in RTF files. It is located in the **Richtx32.ocx** file.

Problem

The **SaveFile** method in the Rich Textbox ActiveX control allows web pages to create or overwrite arbitrary files.

Resolution

Set the kill bits for Class IDs 3B7C8860-D78F-101B-B9B5-04021C009402 and B617B991-A767-4F05-99BA-AC6FCABB102E as described in Microsoft Knowledge Base Article 240797.

References

<http://www.milw0rm.com/exploits/4874>

Limitations

Exploit works on Microsoft Visual Studio 6.0 and requires a user to load the exploit page into Internet Explorer. In order for the exploit to succeed, the Rich Textbox ActiveX control needs to be marked Safe for Scripting or the Internet Explorer security settings need to allow scripting of ActiveX controls not marked Safe for Scripting. Neither of these conditions are true by default.

The shell connection will only take place after the user reboots.

This exploit requires the ability to bind to port 69/UDP on the SAINTexploit host.

Platforms

Windows 2000
Windows XP