Oracle AutoVue 20.0.1 AutoVueX ActiveX Control ExportEdaBom Remote Code 
Execution Vulnerabilty

tested against: Internet Explorer 8
                Microsoft Windows Server 2003 r2 sp2

download url of a test version: 
http://www.oracle.com/technetwork/apps-tech/autovue/index.html

file:
AutoVueDemo2001.zip

Background:

the mentioned program installs an ActiveX control with the following
settings:

ProgID: AUTOVUEX.AutoVueXCtrl.1
CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
Safe for initialization (registry): true
Safe for scripting (registry): true

This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.

Vulnerability:

The mentioned class contains the vulnerable ExportEdaBom() method, from
the typelib:

...
Function ExportEdaBom (
 	ByVal sFileName  As String , 
 	ByVal sFormat  As String , 
 	ByVal bCurPage  As Boolean , 
 	ByVal sAttributes  As String 
)  As Boolean
...

which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. 
By manipulating the fourth argument of this method is possible to create 
a valid application with .hta extension.

The resulting file will lauch operating system commands at the next
startup.

proof of concept code:

http://retrogod.altervista.org/9sg_autovue.zip

Modify the SRC parameter to point to PADS_Evaluation_board.pcb (just a
valid .pcb file).

//rgod