Lucene search
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.ACER_LUNCHAPP_ACTIVEX_CODE_EXEC.NASLHistoryJan 12, 2007 - 12:00 a.m.
Acer LunchApp.APlunch ActiveX Arbitrary Command Execution
2007-01-1200:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
18
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.225
Percentile
96.5%
The remote host contains an ActiveX control from Acer called LunchApp.APlunch that is reportedly shipped with notebook computers from that manufacturer and is marked as ‘safe for scripting’ and ‘safe for initializing from persistent data’. By tricking a user on the affected host into visiting a specially crafted web page, an attacker can pass arbitrary commands to the ‘Run’ method that will be executed on the remote host subject to the user’s privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(24012);
script_version("1.16");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_cve_id("CVE-2006-6121");
script_bugtraq_id(21207);
script_name(english:"Acer LunchApp.APlunch ActiveX Arbitrary Command Execution");
script_summary(english:"Checks for Acer LunchApp.APlunch ActiveX control");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that allows arbitrary
code execution.");
script_set_attribute(attribute:"description", value:
"The remote host contains an ActiveX control from Acer called
LunchApp.APlunch that is reportedly shipped with notebook computers
from that manufacturer and is marked as 'safe for scripting' and 'safe
for initializing from persistent data'. By tricking a user on the
affected host into visiting a specially crafted web page, an attacker
can pass arbitrary commands to the 'Run' method that will be executed
on the remote host subject to the user's privileges.");
script_set_attribute(attribute:"see_also", value:"http://vuln.sg/acerlunchapp-en.html");
script_set_attribute(
attribute:"see_also",
value:"http://www.acer.com/worldwide/support/#APP"
);
script_set_attribute(attribute:"solution", value:"Run the security patch referenced in the vendor advisory above.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/19");
script_set_attribute(attribute:"patch_publication_date", value:"2007/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
#if (!get_port_state(port)) exit(0);
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
#soc = open_sock_tcp(port);
#if (!soc) exit(0);
#session_init(socket:soc, hostname:name);
if (!smb_session_init()) exit(0);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Determine if the control is installed.
clid = "D9998BD0-7957-11D2-8FED-00606730D3AA";
key = "SOFTWARE\Classes\CLSID\{" + clid + "}\InprocServer32";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
file = NULL;
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:NULL);
if (!isnull(value)) file = value[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
# If it is...
if (file)
{
# Determine the version from the DLL itself.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:file);
ocx = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:file);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Make sure the control exists.
fh = CreateFile(
file:ocx,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
if (!isnull(fh))
{
CloseFile(handle:fh);
report = string(
"\n",
"Acer's LunchApp.APlunch ActiveX control is installed as :\n",
"\n",
" ", file, "\n"
);
security_hole(port:port, extra:report);
}
}
# Clean up.
NetUseDel();
Related
cert
cert
Acer LunchApp ActiveX Control fails to properly restrict access to methods
2007-01-12 00:00:00
nvd
nvd
CVE-2006-6121
2006-11-26 23:07:00
CVE-2009-2627
2009-08-19 17:30:01
cvelist
cvelist
CVE-2006-6121
2006-11-26 23:00:00
CVE-2009-2627
2009-08-19 17:00:00
exploitdb
exploitdb
Acer LunchApp.APlunch - ActiveX Control Command Execution
2006-11-30 00:00:00
cve
cve
CVE-2006-6121
2006-11-26 23:07:00
CVE-2009-2627
2009-08-19 17:30:01
nessus
nessus
Acer AcerCtrls.APlunch ActiveX Arbitrary Command Execution
2009-08-21 00:00:00
prion
prion
Security feature bypass
2009-08-19 17:30:00
CVSS2
9.3
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
0.225
Percentile
96.5%
Related for ACER_LUNCHAPP_ACTIVEX_CODE_EXEC.NASL