CVE-2008-5002
published 2008-11-10CVE-2008-5002: Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 ActiveX control (ChilkatCrypt2.dll 4.3.2.1) in Chilkat Crypt ActiveX Component allows remote…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.66%
98.5th percentile
Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 ActiveX control (ChilkatCrypt2.dll 4.3.2.1) in Chilkat Crypt ActiveX Component allows remote attackers to create and overwrite arbitrary files via the WriteFile method. NOTE: this could be leveraged for code execution by creating executable files in Startup folders or by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chilkat_software | chilkat_crypt_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by ProgID 'ChilkatCrypt2.ChilkatCrypt2.1' or CLSID {3352B5B9-82E8-4FFD-9EB1-1A3E60056904} in browser script ↗
- →Monitor for WriteFile method calls from ChilkatCrypt2 ActiveX writing files to Startup folders or to C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\ ↗
- →Alert on hcp:// protocol URI usage following ActiveX WriteFile activity, as the exploit chain uses hcp:// to trigger execution of the dropped payload ↗
- →Detect creation of .htm files in C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\ by browser processes, which is the staging path used by the exploit ↗
- →Flag use of compatUI.dll's RunApplication method from HCP context, as this is the execution primitive used to launch the dropped payload ↗
- ·Exploit requires victim to be browsing as Administrator; it will not work on newer versions of Windows beyond XP ↗
- ·The vulnerability was unpatched at the time of the Metasploit module writing; the latest version at that time was ChilkatCrypt2.DLL 4.4.4.0, so version checks should account for all versions up to and including 4.4.4.0 ↗
- ·The HCP filename used in the Metasploit module is hardcoded to 'msinfo' as other names do not work for the hcp:// execution chain ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Chilkat Crypt - ActiveX WriteFile Unsafe Method (Metasploit)
exploitdb·2010-09-20
CVE-2008-5002 Chilkat Crypt - ActiveX WriteFile Unsafe Method (Metasploit)
Chilkat Crypt - ActiveX WriteFile Unsafe Method (Metasploit)
---
##
# $Id: chilkat_crypt_writefile.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Chilkat Crypt ActiveX WriteFile Unsafe Method',
'Description' => %q{
This module allows attackers to execute code via the 'WriteFile' unsafe method of
Chilkat Software Inc's Crypt ActiveX control.
This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to
execute our payload immediately. However, this method requires that the victim user
Exploit-DB
Chilkat Crypt - ActiveX Arbitrary File Creation/Execution
exploitdb·2008-11-03
CVE-2011-5289 Chilkat Crypt - ActiveX Arbitrary File Creation/Execution
Chilkat Crypt - ActiveX Arbitrary File Creation/Execution
---
Chilkat Crypt Activex Component Arbitrary File Creation/Execution
url: http://www.chilkatsoft.com
File: ChilkatCrypt2.dll
CLSID: {3352B5B9-82E8-4FFD-9EB1-1A3E60056904}
ProgID: ChilkatCrypt2.ChilkatCrypt2.1
Descr.: Chilkat Crypt2
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 all patched, with Internet Exp
Metasploit
Chilkat Crypt ActiveX WriteFile Unsafe Method
metasploit
Chilkat Crypt ActiveX WriteFile Unsafe Method
Chilkat Crypt ActiveX WriteFile Unsafe Method
This module allows attackers to execute code via the 'WriteFile' unsafe method of Chilkat Software Inc's Crypt ActiveX control. This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to execute our payload immediately. However, this method requires that the victim user be browsing with Administrator. Additionally, this method will not work on newer versions of Windows. NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.
http://secunia.com/advisories/32513http://securityreason.com/securityalert/4571http://www.securityfocus.com/bid/32073http://www.vupen.com/english/advisories/2008/2998https://exchange.xforce.ibmcloud.com/vulnerabilities/46315https://www.exploit-db.com/exploits/6963http://secunia.com/advisories/32513http://securityreason.com/securityalert/4571http://www.securityfocus.com/bid/32073http://www.vupen.com/english/advisories/2008/2998https://exchange.xforce.ibmcloud.com/vulnerabilities/46315https://www.exploit-db.com/exploits/6963
2008-11-10
Published