CVE-2013-6128
published 2013-10-25CVE-2013-6128: The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile…
PriorityP339medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EXPLOIT
EPSS
2.56%
83.1th percentile
The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingview | <= 6.52 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
WellinTech KingView ActiveX Vulnerabilities
cisa_ics·2013-09-13
WellinTech KingView ActiveX Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
WellinTech KingView ActiveX Vulnerabilities
Last RevisedDecember 17, 2013
Alert CodeICSA-13-295-01
## OVERVIEW
This advisory is a follow-up to the alert titled ICS-ALERT-13-256-01 WellinTech KingView ActiveX VulnerabilitiesICS-ALERT-13-256-01 WellinTech KingView ActiveX Vulnerabilities, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-13-256-01, Web site last accessed October 22, 2013. that was published September 13, 2013, on the NCCIC/ICS-CERT Web site.
Independent researcher “Blake” identified ActiveX vulnerabilities and released proof-of-concept (exploit) code for WellinTech Ki
GHSA
GHSA-52x6-3hmc-r83m: The KCHARTXYLib
ghsa_unreviewed·2022-05-17
CVE-2013-6128 [MEDIUM] GHSA-52x6-3hmc-r83m: The KCHARTXYLib
The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack.
No detection rules found.
Exploit-DB
Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
exploitdb·2015-12-09
CVE-2015-6128 Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
Microsoft Office / COM Object - 'els.dll' DLL Planting (MS15-134)
---
Source: https://code.google.com/p/google-security-research/issues/detail?id=514
It is possible for an attacker to execute a DLL planting attack in Microsoft Office with a specially crafted OLE object. Testing was performed on a Windows 7 x64 virtual machine with Office 2013 installed and the latest updates applied. The attached POC document "planted.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {394c052e-b830-11d0-9a86-00c04fd8dbf7} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of els.dll. Other options include: {975797fc-4e2a-11d0-b702-00c04fd8dbf7} and {f778c6b4-c08b-11d2-976c-00
Exploit-DB
KingView 6.53 - 'KChartXY' ActiveX File Creation / Overwrite
exploitdb·2013-09-04
CVE-2013-6128 KingView 6.53 - 'KChartXY' ActiveX File Creation / Overwrite
KingView 6.53 - 'KChartXY' ActiveX File Creation / Overwrite
---
arg1="..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\WINDOWS\win.ini"
target.SaveToFile arg1
2013-10-25
Published