Vulnerabilities > CVE-2012-1065 - Insecure Method vulnerability in 2X Applicationserver 10.1

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
2x
nessus
exploit available

Summary

Insecure method vulnerability in TuxScripting.dll in the TuxSystem ActiveX control in 2X ApplicationServer 10.1 Build 1224 allows remote attackers to create or overwrite arbitrary files via the ExportSettings method.

Vulnerable Configurations

Part Description Count
Application
2X
1

Exploit-Db

description2X ApplicationServer 10.1 TuxSystem Class ActiveX Control Remote File Overwrite Vulnerability. CVE-2012-1065. Remote exploit for windows platform
idEDB-ID:18625
last seen2016-02-02
modified2012-03-19
published2012-03-19
reporterrgod
sourcehttps://www.exploit-db.com/download/18625/
title2X ApplicationServer 10.1 TuxSystem Class ActiveX Control Remote File Overwrite Vulnerability

Nessus

NASL familyWindows
NASL id2X_APPLICATIONSERVER_ACTIVEX_FILE_OVERWRITE.NASL
descriptionThe install of the 2X ApplicationServer TuxSystem ActiveX control on the remote host reportedly could be abused to create or overwrite arbitrary files on the affected host using its
last seen2020-06-01
modified2020-06-02
plugin id58484
published2012-03-26
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/58484
title2X ApplicationServer TuxSystem ActiveX ExportSettings() Method Arbitrary File Overwrite
code

# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(58484);
  script_version("1.7");
  script_cvs_date("Date: 2018/06/27 18:42:26");

  script_cve_id("CVE-2012-1065");
  script_bugtraq_id(51856);
  script_xref(name:"EDB-ID", value:"18625");
  script_xref(name:"Secunia", value:"47657");

  script_name(english:"2X ApplicationServer TuxSystem ActiveX ExportSettings() Method Arbitrary File Overwrite");
  script_summary(english:"Checks if the kill bit is set");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has an ActiveX control that is affected by a
file overwrite vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The install of the 2X ApplicationServer TuxSystem ActiveX control on
the remote host reportedly could be abused to create or overwrite
arbitrary files on the affected host using its 'ExportSettings()'
method. 

By tricking a user into opening a specially crafted web page, a
remote, unauthenticated attacker can overwrite files on the affected
system subject to the user's privileges."
  );
  script_set_attribute(
    attribute:"solution",
    value:"Remove or disable the control as fixes are not available."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/02/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/26");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:2x:applicationserver");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
  script_require_ports(139, 445);

  exit(0);
}

include('smb_func.inc');
include('smb_activex_func.inc');
include('misc_func.inc');
include('global_settings.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (activex_init() != ACX_OK) exit(1, 'activex_init() failed.');

clsid = '{5BD64392-DA66-4852-9715-CFBA98D25296}';

# Make sure the control is installed
file = activex_get_filename(clsid:clsid);
if (isnull(file))
{
  activex_end();
  exit(1, "activex_get_filename() returned NULL.");
}
if (!file)
{
  activex_end();
  exit(0, "The control is not installed since the class id '"+clsid+"' is not defined on the remote host.");
}

# Get its version
version = activex_get_fileversion(clsid:clsid);
if (!version) version = 'unknown';

info = "";
if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
{
  info +=
    '\n  Class identifier  : ' + clsid +
    '\n  Filename          : ' + file +
    '\n  Installed version : ' + version + '\n';
}
activex_end();

# Report findings.
if (info)
{
  if (report_paranoia > 1)
  {
    report = info +
      '\n' +
      'Note, though, that Nessus did not check whether the kill bit was\n' +
      "set for the control's CLSID because of the Report Paranoia setting" + '\n' +
      'in effect when this scan was run.\n';
  }
  else
  {
    report = info +
      '\n' +
      'Moreover, its kill bit is not set so it is accessible via Internet\n' +
      'Explorer.\n';
  }

  if (report_verbosity > 0) security_warning(port:kb_smb_transport(), extra:report);
  else security_warning(kb_smb_transport());

  exit(0);
}
else exit(0, "The control is installed, but its kill bit is set.");

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/110970/2xapplicationserver-overwrite.txt
idPACKETSTORM:110970
last seen2016-12-05
published2012-03-19
reporterrgod
sourcehttps://packetstormsecurity.com/files/110970/2X-Application-Server-10.1-File-Overwrite.html
title2X Application Server 10.1 File Overwrite