AOH :: HP Unsorted N :: BU-1877.HTM

DATEV ActiveX Control remote command execution



NSOADV-2010-003: DATEV ActiveX Control remote command execution
NSOADV-2010-003: DATEV ActiveX Control remote command execution



______________________________________________________________________

NSOADV-2010-003: DATEV ActiveX Control remote command execution
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  DATEV DVBSExeCall ActiveX Control remote
                          command execution
  Severity:               Critical
  Advisory ID:            NSOADV-2010-003
  CVE Number:             CVE-2010-0689
  Found Date:             11.01.2010
  Date Reported:          28.01.2010
  Release Date:           25.02.2010
  Author:                 Nikolas Sotiriu
  Mail:                   nso-research at sotiriu.de
Website: http://sotiriu.de/ 
Twitter: http://twitter.com/nsoresearch 
Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt 
Vendor: DATEV (http://www.datev.de/) 
  Affected Products:      DATEV Base System (Grundpaket Basis)
  Affected Component:     DVBSExeCall Control ActiveX Control V.1.0.0.1
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html 
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy



Background:
==========
DATEV eG is a German Company, which makes Software for tax advisors and
lawyers.

The affected Base System has to be installed on all systems that
need DATEV Software.



Description:
===========
During the installation of the DATEV Base System (Grundpaket Basis) an
ActiveX Control will be installed (DVBSExeCall.ocx), in which the
function "ExecuteExe" is vulnerable to a command execution bug.


Name:             ActiveX-Control zum =D6ffnen von LEXinform und der InfoDB
Vendor:           DATEV eG
Type:             ActiveX-Steuerelement
Version:          1.0.0.1
GUID:             {C1CF8B56-3147-41A2-B9BF-79437EED7AFC}
File:             DVBSExeCall.ocx
Folder:           C:\DATEV\PROGRAMM\HLPDVBS\
Safe for Script:  True
Safe for Init:    True
IObjectSafety:    False


NOTE: The affected ActiveX Control will be installed by any DATEV
      Software, so each system with a DATEV installation is vulnerable.



Proof of Concept :
=================
Weaponized PoC demonstration video:
+----------------------------------
http://sotiriu.de/demos/videos/nso-2010-003.html 



Solution:
========
DATEV Advisory
+-------------
http://www.datev.de/info-db/1080162 (German) 

Service-Release Paket V. 1.0
+---------------------------
http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550 



Disclosure Timeline (YYYY/MM/DD):
================================
2010.01.11: Vulnerability found
2010.01.25: Initial contact per Online forms
2010.01.26: Initial vendor response
2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor.
            [-] No Response
2010.01.28: Ask if vendor received my last email.
2010.01.28: Vendor is unable to use PGP.
2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.02.11) to Vendor
2010.01.29: Vendor acknowledges the reception of the advisory and start
            to develop a patch.
2010.02.02: Patch is finished. Vendor wishes to delay the release to the
            2010.02.25.
2010.02.02: Changed release date to 2010.02.25.
2010.02.03: Patch is published
2010.02.25: Release of this Advisory










The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.