HP LoadRunner micWebAjax.dll ActiveX NotifyEvent Method Vulnerability

Added: 09/30/2013
CVE: CVE-2013-2368
BID: 61436
OSVDB: 95639

Background

HP LoadRunner is a software performance testing solution. HP LoadRunner includes the micWebAjax ActiveX control.

Problem

HP LoadRunner before 11.52 is vulnerable to remote code execution due to failure to sanitize user-supplied input to the NotifyEvent method in the micWebAjax.dll ActiveX control. A remote attacker who persuades a user to open a crafted page that results in stack corruption could lead to arbitrary code execution in the context of the web browser.

Resolution

Upgrade to HP LoadRunner 11.52 or newer.

References

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03862772

Limitations

Exploit works on HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn).

The user must open the exploit in Internet Explorer 8 or 9.

Platforms

Windows

Back to exploit index