BlackBerry Desktop Manager Intellisync ActiveX Control Arbitrary Remote Code Execution

2009-11-0400:00:00

www.tenable.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.02

Percentile

89.1%

JSON

The version of the Lotus Notes Intellisync component (‘lnsresobject.dll’) included with the BlackBerry Desktop Software installation on the remote host reportedly contains an unspecified error that can be exploited to execute arbitrary code.

If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage this issue to execute arbitrary code on the affected system subject to the user’s privileges.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(42370);
  script_version("1.14");

  script_cve_id("CVE-2009-0306");
  script_bugtraq_id(36903);
  script_xref(name:"Secunia", value:"37244");

  script_name(english:"BlackBerry Desktop Manager Intellisync ActiveX Control Arbitrary Remote Code Execution");
  script_summary(english:"Checks for the control");
 
  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has an ActiveX control that is allows remote
execution of arbitrary code."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The version of the Lotus Notes Intellisync component
('lnsresobject.dll') included with the BlackBerry Desktop Software
installation on the remote host reportedly contains an unspecified 
error that can be exploited to execute arbitrary code.

If an attacker can trick a user on the affected host into viewing a
specially crafted HTML document, he can leverage this issue to execute
arbitrary code on the affected system subject to the user's
privileges."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://salesforce.services.blackberry.com/kbredirect/viewContent.do?externalId=KB19701"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade to BlackBerry Desktop Software version 5.0.1 or later."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(119);
  script_set_attribute(
    attribute:"vuln_publication_date",
    value:"2009/11/03"
  );
  script_set_attribute(
    attribute:"patch_publication_date",
    value:"2009/11/03"
  );
  script_set_attribute(
    attribute:"plugin_publication_date",
    value:"2009/11/04"
  );
 script_cvs_date("Date: 2018/11/15 20:50:26");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "The 'SMB/Registry/Enumerated' KB item is missing.");
if (activex_init() != ACX_OK) exit(1, "activex_init() failed.");


clsid = '{158CD9E8-E195-4E82-9A78-0CF6B86B3629}';
fixed_version = "7.1.1.129";


# Locate the file used by the control.
file = activex_get_filename(clsid:clsid);
if (isnull(file))
{
  activex_end();
  exit(1, "activex_get_filename() returned NULL.");
}
if (!file)
{
  activex_end();
  exit(0, "The control is not installed as the class id '"+clsid+"' is not defined on the remote host.");
}


# Get its version.
version = activex_get_fileversion(clsid:clsid);
if (!version)
{
  activex_end();
  exit(1, "Failed to get file version of '"+file+"'.");
}


# And check it.
rc = activex_check_fileversion(clsid:clsid, fix:fixed_version);
activex_end();

if (rc == TRUE)
{
  report = NULL;
  if (report_paranoia > 1)
    report = string(
      "\n",
      "  Class Identifier  : ", clsid, "\n",
      "  Filename          : ", file, "\n",
      "  Installed version : ", version, "\n",
      "  Fixed version     : ", fixed_version, "\n",
      "\n",
      "Note, though, that Nessus did not check whether the kill bit was\n",
      "set for the control's CLSID because of the Report Paranoia setting\n",
      "in effect when this scan was run.\n"
    );
  else if (activex_get_killbit(clsid:clsid) == 0)
    report = string(
      "\n",
      "  Class Identifier  : ", clsid, "\n",
      "  Filename          : ", file, "\n",
      "  Installed version : ", version, "\n",
      "  Fixed version     : ", fixed_version, "\n",
      "\n",
      "Moreover, its kill bit is not set so it is accessible via Internet\n",
      "Explorer.\n"
    );
  if (report)
  {
    if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);
    else security_hole(kb_smb_transport());
    exit(0);
  }
  else exit(0, "A vulnerable version of the control is installed but its kill bit is set.");
}
else if (isnull(rc)) exit(1, "activex_check_fileversion() returned NULL.");
else if (rc == FALSE) exit(0, "The control is not affected since its version is "+version+".");