ZDI-CAN-1434: Novell ZENWorks AdminStudio ISGrid.dll ActiveX Remote Code Execution Vulnerability

Document ID:7010665
Creation Date:22-Aug-2012
Modified Date:22-Aug-2012
- Micro Focus Products:
  ZENworks Configuration Management

Environment

AdminStudioSE10.0.iso
AdminStudioSE10SP1.iso

Situation

A vulnerability affecting the following products has been found: Novell ZENworks Admin Studio

Resolution

http://kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Q201079&sliceId=1&docTypeID=DT_HOTFIX_1_1&dialogID=125341070&stateId=00 125337386

Cause

Vulnerability:
this software installs an ActiveX Control with the following
settings:

Binary path: C:\Program Files\AdminStudio\10.0\Tuner\System\ISGrid.dll
ProgID: ISHercules.Grid.1
CLSID: {1FDAAB76-810C-11D5-AB7C-00C04F09719A}
Implements IObjectSafety: True
Safe For Initialization (IObjectSafety): True
Safe For Scripting (IObjectSafety): True

According to the IObjectSafety interface, it is safe
for scripting and safe for initialization, so Internet Explorer
will allow scripting of this control.

Status

Security Alert

Additional Information

The mentioned class has an hidden method named DoFindReplace()

=46rom the typelib:
=2E..
/* DISPID=3D1585 /
function DoFindReplace(
/ VT_BSTR [8] / $bstrSearchText,
/ VT_BSTR [8] / $bstrReplaceText,
/ VT_UI4 [19] / $dwOptions,
/ VT_PTR [26] --> VT_BOOL [11] */ &$vbFound
) {
}
=2E..

The second argument is vulnerable to an exploitable
memory corruption