Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2009-2022 Tenable Network Security, Inc.HP_VIRTUALROOMSCLIENT_701_CODE_EXEC.NASL
HistoryMar 09, 2009 - 12:00 a.m.

HP Virtual Rooms Client < 7.0.1 ActiveX Control Dangerous Methods

2009-03-0900:00:00
This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.
www.tenable.com
13
JSON

HP Virtual Rooms client is installed on the remote system. An ActiveX control included with the client and provided by a file with a name such as ‘HPVirtualRooms32.dll’ contains several dangerous methods. By tricking a user into viewing a specially crafted HTML document, it may be possible for an attacker to use these methods to execute arbitrary code on the remote system subject to the user’s privileges.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(35804);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-0208");
  script_bugtraq_id(33918);
  script_xref(name:"CERT", value:"461321");

  script_name(english:"HP Virtual Rooms Client < 7.0.1 ActiveX Control Dangerous Methods");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that fails to restrict
access to dangerous methods.");
  script_set_attribute(attribute:"description", value:
"HP Virtual Rooms client is installed on the remote system.  An ActiveX
control included with the client and provided by a file with a name such
as 'HPVirtualRooms32.dll' contains several dangerous methods.  By
tricking a user into viewing a specially crafted HTML document, it may
be possible for an attacker to use these methods to execute arbitrary
code on the remote system subject to the user's privileges.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Feb/226");
  script_set_attribute(attribute:"solution", value:
"Upgrade to HP Virtual Rooms client version 7.0.1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(94);

  script_set_attribute(attribute:"patch_publication_date", value:"2009/02/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/03/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:virtual_rooms");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");

if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);

# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);

info = "";
for (i=32; i>=0; i--)
{
  zeros = crap(data:"0", length:8-strlen(string(i)));
  clsid = string("{", zeros, i, "-9593-4264-8B29-930B3E4EDCCD}");

  file = activex_get_filename(clsid:clsid);
  if (file)
  { 
    ver = activex_get_fileversion(clsid:clsid);
    if (!ver) ver = "unknown";

    if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
    { 
      info += '\n' +
              '  CLSID   : ' + clsid + '\n' +
              '  File    : ' + file + '\n' +
              '  Version : ' + version + '\n';
        
      if (!thorough_tests) break;
    }
  }
}

activex_end();

if (info)
{ 
  if (report_verbosity > 0)
  { 
    if (report_paranoia > 1)
    { 
      report = string(
        "\n",
        "Nessus found the following affected control(s) installed :\n",
        # nb: info already starts with an empty line.
        info,
        "\n",
        "Note, though, that Nessus did not check whether the kill bit was\n",
        "set for the control's CLSID because of the Report Paranoia setting\n",
        "in effect when this scan was run.\n"
      );
    }
    else
    {
      report = string(
        "\n",
        "Nessus found the following affected control(s) installed :\n",
        # nb: info already starts with an empty line.
        info,
        "\n",
        "Moreover, the kill bit is not set so it is accessible via Internet\n",
        "Explorer.\n"
      );
    }
    security_hole(port:kb_smb_transport(), extra:report);
  }
  else security_hole(kb_smb_transport());
}
VendorProductVersionCPE
hpvirtual_roomscpe:/a:hp:virtual_rooms

Related

seebug 2
cve 1
prion 1
securityvulns 2
cert 1
nessus 1
seebug
seebug
HP Virtual Rooms ActiveX控件不安全方式调用漏洞
2009-03-02 00:00:00
HP Virtual Rooms客户端未明远程代码执行漏洞
2009-02-27 00:00:00
cve
cve
CVE-2009-0208
2009-02-26 23:30:00
prion
prion
Design/Logic Flaw
2009-02-26 23:30:00
securityvulns
securityvulns
HP Virtual Rooms ActiveX code execution
2009-02-26 00:00:00
[security bulletin] HPSBGN02410 SSRT080135 rev.1 - HP Virtual Rooms Client Running on Windows, Remote Execution of Arbitrary Code
2009-02-26 00:00:00
cert
cert
HP Virtual Rooms ActiveX control fails to restrict access to dangerous methods
2009-02-26 00:00:00
nessus
nessus
MS KB969898: Cumulative Security Update of ActiveX Kill Bits
2009-06-10 00:00:00
JSON
Related for HP_VIRTUALROOMSCLIENT_701_CODE_EXEC.NASL
seebug2cve1prion1securityvulns2cert1nessus1