9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.615 Medium
EPSS
Percentile
97.8%
The remote host contains the Creative Software AutoUpdate Engine ActiveX control, which is used to automatically update Creative Labs software.
The version of this control installed on the remote host reportedly contains an unspecified stack-based buffer overflow. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, this method could be leveraged to execute arbitrary code on the affected system subject to the user’s privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(32442);
script_version("1.22");
script_cve_id("CVE-2008-0955");
script_bugtraq_id(29391);
script_xref(name:"CERT", value:"501843");
script_xref(name:"EDB-ID", value:"5681");
script_xref(name:"Secunia", value:"30403");
script_name(english:"Creative Software AutoUpdate Engine ActiveX (CTSUEng.ocx) Unspecified Overflow");
script_summary(english:"Checks version of Creative Software AutoUpdate Engine control");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by a
buffer overflow vulnerability." );
script_set_attribute(attribute:"description", value:
"The remote host contains the Creative Software AutoUpdate Engine
ActiveX control, which is used to automatically update Creative Labs
software.
The version of this control installed on the remote host reportedly
contains an unspecified stack-based buffer overflow. If an attacker
can trick a user on the affected host into viewing a specially crafted
HTML document, this method could be leveraged to execute arbitrary
code on the affected system subject to the user's privileges." );
script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/" );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value: "2008/05/28");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);
clsid = "{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}";
file = activex_get_filename(clsid:clsid);
if (file)
{
ver = activex_get_fileversion(clsid:clsid);
if (ver) ver = string("Version ", ver);
else ver = string("An unknown version");
report = NULL;
if (report_paranoia > 1)
report = string(
"\n",
ver, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Note, though, that Nessus did not check whether the kill bit was\n",
"set for the control's CLSID because of the Report Paranoia setting\n",
"in effect when this scan was run.\n"
);
else if (activex_get_killbit(clsid:clsid) == 0)
report = string(
"\n",
ver, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Moreover, its kill bit is not set so it is accessible via Internet\n",
"Explorer.\n"
);
if (report)
{
if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);
else security_hole(kb_smb_transport());
}
}
activex_end();