Oracle AutoVue 20.0.1 AutoVueX ActiveX Control ExportEdaBom Remote Code 
Execution Vulnerabilty

tested against: Internet Explorer 8
                Microsoft Windows Server 2003 r2 sp2

download url of a test version:



the mentioned program installs an ActiveX control with the following

ProgID: AUTOVUEX.AutoVueXCtrl.1
CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
Safe for initialization (registry): true
Safe for scripting (registry): true

This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.


The mentioned class contains the vulnerable ExportEdaBom() method, from
the typelib:

Function ExportEdaBom (
 	ByVal sFileName  As String , 
 	ByVal sFormat  As String , 
 	ByVal bCurPage  As Boolean , 
 	ByVal sAttributes  As String 
)  As Boolean

which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. 
By manipulating the fourth argument of this method is possible to create 
a valid application with .hta extension.

The resulting file will lauch operating system commands at the next

proof of concept code:
Modify the SRC parameter to point to PADS_Evaluation_board.pcb (just a
valid .pcb file).