search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Cenroll ActiveX Control allows creation of arbitrary files.

Vulnerability Note VU#3062

Original Release Date: 2000-12-14 | Last Revised: 2001-08-10

Overview

The ActiveX control Cenroll permits unauthorized users to create files on the local system.

Description

The ActiveX control "Cenroll" (clsid: 43F8F289-7A20-11D0-8F06-00C04FC295E1), which is ordinarily marked safe-for-scripting allows callers to create files and write to the registry with the permissions of the process running the control. The Cenroll control is contained in the xenroll.dll library.

Using the call Enroll.createFilePKCS10 an attacker can create a file with an arbitrary name containing the base-64-encoded contents of a PCKS#10 request which can then be submitted to a Certificate Authority for processing. Nothing restricts the name or size of the file that can be created.

Impact

An attacker can create files with arbitrary names. The contents of the file can be influenced by the intruder, but it is unclear if the influence can be leveraged in any useful way.

Solution

The latest versions of Windows address this problem by limiting the number of times the control can be called before issuing a "denial-of-service" error message. (See Q242366). This prevents attackers from using the control simply to create large numbers of files. To the best of our knowledge, there does not exist a general purpose fix to the problem.

Vendor Information

3062
Expand all

Microsoft

Updated:  December 14, 2000

Status

  Vulnerable

Vendor Statement

Information about this problem can be found in http://support.microsoft.com/support/kb/articles/Q242/3/66.ASP

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Richard Smith of Phar Lap Software who reported this problem to us.

This document was written by Shawn V Hernan.

Other Information

CVE IDs: None
Severity Metric: 3.15
Date Public: 1999-07-29
Date First Published: 2000-12-14
Date Last Updated: 2001-08-10 15:27 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.