Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
2003-06-23T00:00:00
ID EDB-ID:22816 Type exploitdb Reporter Cesar Cerrudo Modified 2003-06-23T00:00:00
Description
Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability. CVE-2003-0470. Dos exploit for windows platform
source: http://www.securityfocus.com/bid/8008/info
It has been reported that the RuFSI Utility Class is vulnerable to a boundary condition error when invoked with long strings. This could potentially lead to the execution of code with the privileges of the user executing the web browser.
<object classid="clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE" id="test">
</object>
<script>
test.CompareVersionStrings("long string here","or long string here")
</script>
{"id": "EDB-ID:22816", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability", "description": "Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability. CVE-2003-0470. Dos exploit for windows platform", "published": "2003-06-23T00:00:00", "modified": "2003-06-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/22816/", "reporter": "Cesar Cerrudo", "references": [], "cvelist": ["CVE-2003-0470"], "lastseen": "2016-02-02T19:36:36", "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2016-02-02T19:36:36", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0470"]}, {"type": "osvdb", "idList": ["OSVDB:2208"]}, {"type": "cert", "idList": ["VU:527228"]}], "modified": "2016-02-02T19:36:36", "rev": 2}, "vulnersScore": 7.5}, "sourceHref": "https://www.exploit-db.com/download/22816/", "sourceData": "source: http://www.securityfocus.com/bid/8008/info\r\n\r\nIt has been reported that the RuFSI Utility Class is vulnerable to a boundary condition error when invoked with long strings. This could potentially lead to the execution of code with the privileges of the user executing the web browser. \r\n\r\n<object classid=\"clsid:69DEAF94-AF66-11D3-BEC0-00105AA9B6AE\" id=\"test\">\r\n</object>\r\n\r\n<script>\r\ntest.CompareVersionStrings(\"long string here\",\"or long string here\")\r\n</script>\r\n\r\n", "osvdbidlist": ["2208"]}
{"cve": [{"lastseen": "2020-10-03T11:33:02", "description": "Buffer overflow in the \"RuFSI Utility Class\" ActiveX control (aka \"RuFSI Registry Information Class\"), as used for the Symantec Security Check service, allows remote attackers to execute arbitrary code via a long argument to CompareVersionStrings.", "edition": 3, "cvss3": {}, "published": "2003-08-07T04:00:00", "title": "CVE-2003-0470", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0470"], "modified": "2017-07-11T01:29:00", "cpe": ["cpe:/a:symantec:security_check:*"], "id": "CVE-2003-0470", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0470", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:symantec:security_check:*:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0470"], "edition": 1, "description": "## Vulnerability Description\nSymantec Security Check contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable system. The issue is due to the Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class ActiveX controls which contain a buffer overflow. With a specially crafted web page, an attacker can overflow the buffer which will allow remote code execution on a system with these ActiveX controls installed.\n## Solution Description\nVisit the Symantec Security Check web site and re-run the Security Check. This will update the old and potentially vulnerable ActiveX control.\n## Short Description\nSymantec Security Check contains a flaw that allows a remote attacker to execute arbitrary code on a vulnerable system. The issue is due to the Symantec RuFSI Utility Class or Symantec RuFSI Registry Information Class ActiveX controls which contain a buffer overflow. With a specially crafted web page, an attacker can overflow the buffer which will allow remote code execution on a system with these ActiveX controls installed.\n## References:\n[Vendor Specific Advisory URL](http://securityresponse.symantec.com/avcenter/security/Content/2003.06.25.html)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-06/0194.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-06/0185.html\nISS X-Force ID: 12423\n[CVE-2003-0470](https://vulners.com/cve/CVE-2003-0470)\nCERT VU: 527228\nBugtraq ID: 8008\n", "modified": "2003-06-23T13:40:44", "published": "2003-06-23T13:40:44", "href": "https://vulners.com/osvdb/OSVDB:2208", "id": "OSVDB:2208", "type": "osvdb", "title": "Symantec Security Check RuFSI ActiveX Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:44:12", "bulletinFamily": "info", "cvelist": ["CVE-2003-0470"], "description": "### Overview \n\nThere is a buffer overflow in a component of Symantec's web-based Security Check.\n\n### Description \n\nSymantec [describes](<http://www.sarc.com/avcenter/security/Content/2003.06.25.html>) Security Check as \"a free web-based tool that enables users to test their computer's exposure to a wide range of on-line threats. As part of running the check, users may install an ActiveX Control, which remains on the user's system even after the check has completed.\" A buffer overflow has been discovered in the ActiveX control that is distributed from Symantec's web-based Security Check web site. For further technical details, please see the following documents:\n\n * [Cesar Cerrudo's advisory](<http://lists.netsys.com/pipermail/full-disclosure/2003-June/010692.html>)\n * [Symantec's advisory](<http://www.sarc.com/avcenter/security/Content/2003.06.25.html>) \n--- \n \n### Impact \n\nAny user that visited Symantec's Security Check web site before June 25, 2003, when Symantec replaced the vulnerable ActiveX control, is likely to have the vulnerable control on their system. The only way to get rid of the control is to either visit Symantec's Security Check web site and run another Security Scan, or manually remove the vulnerable control. Users not following, or unaware of, either of these courses of action may be subject to an attacker installing and/or invoking a vulnerable version of the control on their system.This type of behavior could be averted by making use of Microsoft's [SiteLock Template](<http://msdn.microsoft.com/downloads/samples/internet/default.asp?url=/downloads/samples/internet/components/SiteLock/default.asp>). This template \"enables an ActiveX developer to restrict access so that the control is only deemed safe in a predetermined list of domains. This limits the ability of Web page authors to reuse the control for malicious purposes.\" Unfortunately, this Symantec ActiveX control does not make use of the SiteLock Template. \n \n--- \n \n### Solution \n\nSymantec has replaced the vulnerable ActiveX control on their web site, and they [recommend](<http://www.sarc.com/avcenter/security/Content/2003.06.25.html>) the following: \n`Recent visitors to Symantec Security Check should revisit the site and run a new Security Scan. By running a new scan, the previous ActiveX Control will be replaced by an updated ActiveX Control that fixes the buffer overflow condition. Advanced users can attempt to delete the ActiveX Control by rebooting and then going into the system folder: %SystemRoot%\\Downloaded Program Files\\ and delete \"rufsi.dll\". This must be done by using the command prompt and the user must not be on the Symantec Security Check site at the time. A removal tool has been developed and can be found `[`here`](<http://www.sarc.com/avcenter/security/Content/2003.06.25a.html>)`.` \n \n--- \n \n### Vendor Information\n\n527228\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Symantec Corporation __ Affected\n\nUpdated: July 15, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.sarc.com/avcenter/security/Content/2003.06.25.html>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23527228 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://msdn.microsoft.com/downloads/samples/internet/default.asp?url=/downloads/samples/internet/components/SiteLock/default.asp>\n * <http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=10810471>\n * <http://www.sarc.com/avcenter/security/Content/2003.06.25a.html>\n * <http://www.sarc.com/avcenter/security/Content/2003.06.25.html>\n * <http://securitytracker.com/alerts/2003/Jun/1007029.html>\n * <http://www.cert.org/reports/activeX_report.pdf>\n * <http://www.secunia.com/advisories/9091/>\n * <http://www.securityfocus.com/bid/8008>\n * <http://xforce.iss.net/xforce/xfdb/12423>\n\n### Acknowledgements\n\nThis vulnerability was discovered by Cesar Cerrudo.\n\nThis document was written by Ian A Finlay.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2003-0470](<http://web.nvd.nist.gov/vuln/detail/CVE-2003-0470>) \n---|--- \n**Severity Metric:** | 3.60 \n**Date Public:** | 2003-06-23 \n**Date First Published:** | 2003-07-21 \n**Date Last Updated: ** | 2003-09-30 22:01 UTC \n**Document Revision: ** | 39 \n", "modified": "2003-09-30T22:01:00", "published": "2003-07-21T00:00:00", "id": "VU:527228", "href": "https://www.kb.cert.org/vuls/id/527228", "type": "cert", "title": "Symantec ActiveX control vulnerable to buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}