Microsoft Rich Textbox ActiveX control SaveFile vulnerability

Added: 10/07/2008
CVE: CVE-2008-0237
BID: 27201
OSVDB: 40234

Background

Microsoft Rich Textbox is an ActiveX control which comes with Visual Basic and allows creation of formatted text in RTF files. It is located in the Richtx32.ocx file.

Problem

The SaveFile method in the Rich Textbox ActiveX control allows web pages to create or overwrite arbitrary files.

Resolution

Set the kill bits for Class IDs 3B7C8860-D78F-101B-B9B5-04021C009402 and B617B991-A767-4F05-99BA-AC6FCABB102E as described in Microsoft Knowledge Base Article 240797.

References

http://www.milw0rm.com/exploits/4874

Limitations

Exploit works on Microsoft Visual Studio 6.0 and requires a user to load the exploit page into Internet Explorer. In order for the exploit to succeed, the Rich Textbox ActiveX control needs to be marked Safe for Scripting or the Internet Explorer security settings need to allow scripting of ActiveX controls not marked Safe for Scripting. Neither of these conditions are true by default.

The shell connection will only take place after the user reboots.

This exploit requires the ability to bind to port 69/UDP on the SAINTexploit host.

Platforms

Windows 2000
Windows XP

Back to exploit index