______________________________________________________________________ NSOADV-2010-003: DATEV ActiveX Control remote command execution ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: DATEV DVBSExeCall ActiveX Control remote command execution Severity: Critical Advisory ID: NSOADV-2010-003 CVE Number: CVE-2010-0689 Found Date: 11.01.2010 Date Reported: 28.01.2010 Release Date: 25.02.2010 Author: Nikolas Sotiriu Mail: nso-research at sotiriu.de Website: http://sotiriu.de/ Twitter: http://twitter.com/nsoresearch Advisory-URL: http://sotiriu.de/adv/NSOADV-2010-003.txt Vendor: DATEV (http://www.datev.de/) Affected Products: DATEV Base System (Grundpaket Basis) Affected Component: DVBSExeCall Control ActiveX Control V.1.0.0.1 Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== DATEV eG is a German Company, which makes Software for tax advisors and lawyers. The affected Base System has to be installed on all systems that need DATEV Software. Description: ============ During the installation of the DATEV Base System (Grundpaket Basis) an ActiveX Control will be installed (DVBSExeCall.ocx), in which the function "ExecuteExe" is vulnerable to a command execution bug. Name: ActiveX-Control zum Öffnen von LEXinform und der InfoDB Vendor: DATEV eG Type: ActiveX-Steuerelement Version: 1.0.0.1 GUID: {C1CF8B56-3147-41A2-B9BF-79437EED7AFC} File: DVBSExeCall.ocx Folder: C:\DATEV\PROGRAMM\HLPDVBS\ Safe for Script: True Safe for Init: True IObjectSafety: False NOTE: The affected ActiveX Control will be installed by any DATEV Software, so each system with a DATEV installation is vulnerable. Proof of Concept : ================== Weaponized PoC demonstration video: +---------------------------------- http://sotiriu.de/demos/videos/nso-2010-003.html Solution: ========= DATEV Advisory +------------- http://www.datev.de/info-db/1080162 (German) Service-Release Paket V. 1.0 +--------------------------- http://www.datev.de/portal/ShowPage.do?pid=dpi&nid=96550 Disclosure Timeline (YYYY/MM/DD): ================================= 2010.01.11: Vulnerability found 2010.01.25: Initial contact per Online forms 2010.01.26: Initial vendor response 2010.01.26: Ask for a PGP Key and send the Disclosure Policy to vendor. [-] No Response 2010.01.28: Ask if vendor received my last email. 2010.01.28: Vendor is unable to use PGP. 2010.01.28: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.11) to Vendor 2010.01.29: Vendor acknowledges the reception of the advisory and start to develop a patch. 2010.02.02: Patch is finished. Vendor wishes to delay the release to the 2010.02.25. 2010.02.02: Changed release date to 2010.02.25. 2010.02.03: Patch is published 2010.02.25: Release of this Advisory