Quest InTrust 10.4.x ReportTree and SimpleTree Classes ArDoc.dll ActiveX Control Remote File Creation / Overwrite Vulnerability



Quest InTrust 10.4.x ReportTree and SimpleTree Classes ArDoc.dll ActiveX Control Remote File Creation / Overwrite

homepage: http://www.quest.com/intrust/

description: "InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices."


download url of a test version:
http://www.quest.com/downloads/

file tested: Quest_InTrust---Full-Package_104.zip

Background:

The mentioned product, when installed, registers two classes
with the following settings:

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {C6FAAD6A-68AE-452B-9F7A-9293408F51EF}
ProgID: ARDOC.ReportTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?

binary path: C:\Program Files\Common Files\Aelita Shared\ARDoc.dll
CLSID: {EB5920E8-F6FA-4080-ADDC-AA03FA23E2AB}
ProgID: ARDOC.SimpleTree.1
Implements IObjectSafety: yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): ?

According to IObjectSafety interface, this control is safe
for scripting then Internet Explorer will allow scripting
of this control.

Vulnerability:
both classes expose insecure methods (read/write):


..
/* DISPID=34 */
/* VT_BOOL [11] */
function LoadFromFile(
/* VT_BSTR [8] */ $bstrFileName
)
{
/* method LoadFromFile */
}
/* DISPID=35 */
/* VT_BOOL [11] */
function SaveToFile(
/* VT_BSTR [8] */ $bstrFileName
)
{
/* method SaveToFile */
}
..

SaveToFile() allows arbitrary file creation and overwrite.

The resulting file has the following header:

D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 ...

This seems a Microsoft Office file.

As attachment, two pocs, overwriting the boot.ini file. Change for your needs.

Other attacks are possible, including remote code execution
if the attacker is able to control file content.
At the time of report, however, this could not be achieved. I
will post updates on this if demonstrated.

original url: http://retrogod.altervista.org/9sg_quest_ii.htm

pocs:
http://retrogod.altervista.org/9sg_quest_ii_1.htm

http://retrogod.altervista.org/9sg_quest_ii_2.htm



Relevant Pages

  • [Full-Disclosure] Fwd: IObjectSafety and Internet Explorer
    ... Subject: IObjectSafety and Internet Explorer ... Problems with ActiveX in Internet Explorer are nothing new. ... How Internet Explorer Determines If ActiveX Controls Are Safe ... The following key marks the control safe for scripting: ...
    (Full-Disclosure)
  • Re: Problem with webbrowser control
    ... What confuses me a bit is, that the _same_ html page throws exceptions in control, but loads fine in iesample/iesimple. ... If I call it via local html file in webbrowser control, drm server will refuse me ... If you're specifying the CLSID of a control that is already installed locally, I can't think of anything that would cause the problem, unless there's something that an instance of the browser control does outside of IESample that it doesn't do inside it (maybe IObjectSafety checks or something, I suppose). ...
    (microsoft.public.dotnet.framework.compactframework)
  • How to load an ActiveX control from web page on IE Mobile 5.0
    ... alert('ActiveX control Loaded! ... My test class is implementing the "IObjectSafety" interface and I ... When Internet Explorer receives a request to load an ActiveX control, ... long GetInterfaceSafetyOptions(ref Guid iid, out int ...
    (microsoft.public.dotnet.framework.compactframework)
  • Chilkat Software FTP2 ActiveX Component (ChilkatFtp2.DLL 2.6.1.1) Remote Code Execution poc
    ... Safe For Initialization (IObjectSafety): True ... Safe For Scripting: True ... This class allows to copy/overwrite files inside arbitrary locations ex. ...
    (Bugtraq)
  • Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution
    ... Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution ... Safe for Initialization (IObjectSafety): True ...
    (Bugtraq)