[VIM] Morovia Barcode ActiveX 3.6.2 (MrvBarCd.dll) Insecure Method Exploit

George A. Theall theall at tenablesecurity.com
Tue Mar 17 14:36:22 UTC 2009

On Mar 17, 2009, at 9:14 AM, George A. Theall wrote:

> FYI, milw0rm 3899 and 8208 look like they are for the same  
> underlying issue, albeit involving different versions of the software.

On further investigation, they are different.  The earlier advisory  
from Shinnai involves overwriting arbitrary files, such as "c:\windows 
\system_.ini". The more recent one, from Cyber-Zone, involves creating  
arbitrary files, although I'm not sure if there's a way for an  
attacker to control the content of the file.

Btw, Morovia fixed the earlier issue in January 2009 by releasing  
version 2.6.0 (search for "Bug 552" in the release notes, at http://mdn.morovia.com/manuals/bax3/Barcode-ActiveX-Release-Notes.htm) 
. There are two affected methods -- 'Save', which Shinnai reported, as  
well as 'ExportImage'.

Using Cyber-Zone's PoC, both methods still allow you to create  
arbitrary files in the current version (3.6.2).

theall at tenablesecurity.com

More information about the VIM mailing list