Oracle AutoVue 20.0.1 AutoVueX ActiveX Control SaveViewStateToFile Remote 
File Creation / Overwrite Vulnerability

tested against: Internet Explorer 8
                Microsoft Windows Server 2003 r2 sp2

download url of a test version: 
http://www.oracle.com/technetwork/apps-tech/autovue/index.html

file:
AutoVueDemo2001.zip

Background:

the mentioned program installs an ActiveX control with the following
settings:

ProgID: AUTOVUEX.AutoVueXCtrl.1
CLSID: {B6FCC215-D303-11D1-BC6C-0000C078797F}
Binary path: C:PROGRA~1avavwinAutoVueX.ocx
Safe for initialization (registry): true
Safe for scripting (registry): true

This control is marked "safe for scripting" and "safe for initialization",
Internet Explorer will allows scripting of this control.

Vulnerability:

The mentioned class contains the vulnerable SaveViewStateToFile() method, from
the typelib:

...
	/* DISPID=116 */
	/* VT_BOOL [11] */
	function SaveViewStateToFile(
		/* VT_BSTR [8]  */ $sFileName 
		)
	{
	}
...

which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations. 

It was experimented that the content of theese files can be
partially controlled by passing a remote file to the 
RestoreViewStateFromFile() method.

The resulting file will look like this:

   0 : 6b 00 00 00 07 00 41 56 31 37 5f 32 00 0a 00 56 [k.....AV17_2...V]
  10 : 69 65 77 53 74 61 74 65 00 ff ff ff ff 00 00 01 [iewState........]
  20 : 00 00 00 01 00 00 00 6f 8f 96 d8 ca 22 71 c1 86 [.......o...."q..]
  30 : f0 ca b7 56 a0 b0 e0 00 00 00 00 00 00 00 00 41 [...V...........A] <----- controlled section (AAAA)
  40 : 41 41 41 59 fb bb 60 86 f0 ca b7 56 a0 b0 60 00 [AAAY..`....V..`.]
  50 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
  60 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    [...............]

poc, which overwrites boot.ini:

http://retrogod.altervista.org/9sg_autovueiii.zip
Mirror: http://www.exploit-db.com/sploits/9sg_autovueiii.zip