SAINT CorporationSAINT:7863264A1CB954FB96BDBE851CE17C52Microsoft Rich Textbox ActiveX control SaveFile vulnerability
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.956 High
EPSS
Percentile
99.4%
Added: 10/07/2008
CVE: CVE-2008-0237
BID: 27201
OSVDB: 40234
Background
Microsoft Rich Textbox is an ActiveX control which comes with Visual Basic and allows creation of formatted text in RTF files. It is located in the **Richtx32.ocx** file.
Problem
The **SaveFile** method in the Rich Textbox ActiveX control allows web pages to create or overwrite arbitrary files.
Resolution
Set the kill bits for Class IDs 3B7C8860-D78F-101B-B9B5-04021C009402 and B617B991-A767-4F05-99BA-AC6FCABB102E as described in Microsoft Knowledge Base Article 240797.
References
<http://www.milw0rm.com/exploits/4874>
Limitations
Exploit works on Microsoft Visual Studio 6.0 and requires a user to load the exploit page into Internet Explorer. In order for the exploit to succeed, the Rich Textbox ActiveX control needs to be marked Safe for Scripting or the Internet Explorer security settings need to allow scripting of ActiveX controls not marked Safe for Scripting. Neither of these conditions are true by default.
The shell connection will only take place after the user reboots.
This exploit requires the ability to bind to port 69/UDP on the SAINTexploit host.
Platforms
Windows 2000
Windows XP
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.956 High
EPSS
Percentile
99.4%