Lucene search
This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.AKAMAI_DLM_ACTIVEX_2_2_3_7.NASLHistoryJun 05, 2008 - 12:00 a.m.
Akamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download
2008-06-0500:00:00
This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
9
The Windows remote host contains the Download Manager ActiveX control from Akamai, which helps users download content.
The version of this ActiveX control on the remote host reportedly is affected by a parameter injection vulnerability that could be exploited to download arbitrary files and place them in arbitrary locations on the affected host, such as the ‘Startup’ folder used by Windows. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this method could be used to execute arbitrary code on the affected system subject to the user’s privileges.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(33102);
script_version("1.18");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2008-1770");
script_xref(name:"EDB-ID", value:"5741");
script_xref(name:"SECUNIA", value:"30537");
script_name(english:"Akamai Download Manager ActiveX Control < 2.2.3.6 Arbitrary File Download");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that allows arbitrary
file downloads.");
script_set_attribute(attribute:"description", value:
"The Windows remote host contains the Download Manager ActiveX control
from Akamai, which helps users download content.
The version of this ActiveX control on the remote host reportedly is
affected by a parameter injection vulnerability that could be
exploited to download arbitrary files and place them in arbitrary
locations on the affected host, such as the 'Startup' folder used by
Windows. If an attacker can trick a user on the affected host into
visiting a specially crafted web page, this method could be used to
execute arbitrary code on the affected system subject to the user's
privileges.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Jun/59");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/493077/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.2.3.7 or later of the control.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(94);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Locate the file used by the control.
if (activex_init() != ACX_OK)
exit(1, "ActiveX initialization failed.");
clsids = make_list("{4871A87A-BFDD-4106-8153-FFDE2BAC2967}",
"{FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}",
"{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}");
info = NULL;
foreach clsid (clsids)
{
file = activex_get_filename(clsid:clsid);
if (file)
{
# Check its version.
ver = activex_get_fileversion(clsid:clsid);
# Fixed version of DownloadManagerV2.ocx == 2.2.3.7
if (ver && activex_check_fileversion(clsid:clsid, fix:"2.2.3.7") == TRUE)
{
if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
{
info += ' - ' + clsid + '\n' +
' ' + file + ', ' + ver + '\n';
if (!thorough_tests) break;
}
}
}
}
activex_end();
if (info)
{
if (report_verbosity > 0)
{
if (report_paranoia > 1)
{
report = string(
"\n",
"Nessus found the following affected control(s) installed :\n",
"\n",
info,
"\n",
"Note that Nessus did not check whether the kill bit was set for\n",
"the control(s) because of the Report Paranoia setting in effect\n",
"when this scan was run.\n"
);
}
else
{
report = string(
"\n",
"Nessus found the following affected control(s) installed :\n",
"\n",
info,
"\n",
"Moreover, the kill bit was not set for the control(s) so they\n",
"are accessible via Internet Explorer.\n"
);
}
security_hole(port:kb_smb_transport(), extra:report);
}
else security_hole(kb_smb_transport());
}
Related
prion
prion
Crlf injection
2008-06-04 21:32:00
kaspersky
kaspersky
KLA10054 ACE vulnerability in Akamai Download Manager
2008-06-04 00:00:00
securityvulns
securityvulns
Akamai Technologies Security Advisory 2008-0001 (Download Manager)
2008-06-05 00:00:00
Akamai Download Manager ActiveX code execution
2008-06-05 00:00:00
Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability
2008-06-05 00:00:00
seebug
seebug
Akamai下载管理器参数注入漏洞
2008-06-06 00:00:00
cve
cve
CVE-2008-1770
2008-06-04 21:32:00
Related for AKAMAI_DLM_ACTIVEX_2_2_3_7.NASL