HP LoadRunner XUpload ActiveX control MakeHttpRequest file download

Added: 10/21/2009
CVE: CVE-2009-3693
BID: 36550

Background

HP LoadRunner is a software performance testing solution. HP LoadRunner includes the XUpload.ocx ActiveX control for performing file exchanges.

Problem

The MakeHttpRequest method in the XUpload.ocx ActiveX control can be used to download arbitrary files without any user confirmation. This can be used to store malicious commands on the system when a user loads an attacker's web page, leading to command execution.

Resolution

Set the kill bit for Class ID E87F6C8E-16C0-11D3-BEF7-009027438003 as described in Microsoft Knowledge Base Article 240797.

References

http://secunia.com/advisories/36898

Limitations

Exploit works on HP LoadRunner 9.5 and requires a user to load the exploit page in Internet Explorer 6 or 7.

After the user loads the exploit page, the exploit will succeed only after the user logs in again or reboots the system.

Platforms

Windows

Back to exploit index