NSOADV-2010-003: DATEV ActiveX Control remote command execution Feb 25 2010 08:18AM
NSO Research (nso-research sotiriu de)
______________________________________________________________________

NSOADV-2010-003: DATEV ActiveX Control remote command execution
______________________________________________________________________
______________________________________________________________________

111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________

Title: DATEV DVBSExeCall ActiveX Control remote
command execution
Severity: Critical
Advisory ID: NSOADV-2010-003
CVE Number: CVE-2010-0689
Found Date: 11.01.2010
Date Reported: 28.01.2010
Release Date: 25.02.2010
Author: Nikolas Sotiriu
Mail: nso-research at sotiriu.de
Website: http://sotiriu.de/
Twitter: http://twitter.com/nsoresearch
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt
Vendor: DATEV (http://www.datev.de/)
Affected Products: DATEV Base System (Grundpaket Basis)
Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy

Background:
===========

DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.

Description:
============

During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function "ExecuteExe" is vulnerable to a command execution bug.

Name: ActiveX-Control zum Öffnen von LEXinform und der InfoDB
Vendor: DATEV eG
Type: ActiveX-Steuerelement
Version: 1.0.0.1
GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File: DVBSExeCall.ocx
Folder: C:\DATEV\PROGRAMM\HLPDVBSSafe for Script: True
Safe for Init: True
IObjectSafety: False

NOTE: The affected ActiveX Control will be installed by any DATEV
Software, so each system with a DATEV installation is vulnerable.

Proof of Concept :
==================

Weaponized PoC demonstration video:
+----------------------------------
http://sotiriu.de/demos/videos/nso-2010-003.html

Solution:
=========

DATEV Advisory
+-------------
http://www.datev.de/info-db/1080162 (German)

Service-Release Paket V. 1.0
+---------------------------
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550

Disclosure Timeline (YYYY/MM/DD):
=================================

2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
[-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release to the
2010.02.25.
2010.02.02: Changed release date to 2010.02.25.
2010.02.03: Patch is published
2010.02.25: Release of this Advisory

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus