MW6 Technologies ActiveX Multiple Buffer Overflows

2014-01-2800:00:00

www.tenable.com

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.867 High

EPSS

Percentile

98.6%

JSON

The remote Windows host has one or more ActiveX controls from MW6 Technologies ActiveX controls that are affected by multiple buffer overflow vulnerabilities. Specifically, these involve the ‘Data’ parameter as used in the Aztec, DataMatrix, and MaxiCode controls, and successful exploitation could lead to arbitrary code execution.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(72179);
  script_version("1.4");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2013-6040");
  script_bugtraq_id(65038);
  script_xref(name:"CERT", value:"219470");
  script_xref(name:"EDB-ID", value:"31176");
  script_xref(name:"EDB-ID", value:"31177");
  script_xref(name:"EDB-ID", value:"31178");

  script_name(english:"MW6 Technologies ActiveX Multiple Buffer Overflows");
  script_summary(english:"Checks if the kill bit is set on affected controls.");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has one or more ActiveX controls installed that
are affected by multiple buffer overflow vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host has one or more ActiveX controls from MW6
Technologies ActiveX controls that are affected by multiple buffer
overflow vulnerabilities.  Specifically, these involve the 'Data'
parameter as used in the Aztec, DataMatrix, and MaxiCode controls, and
successful exploitation could lead to arbitrary code execution."
  );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Jan/137");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer");
  script_set_attribute(
    attribute:"solution",
    value:
"There are currently no known fixes; as a workaround, set the kill bit
on the affected ActiveX controls."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:aztec_activex_control");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:datamatrix_activex_control");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:maxicode_activex_control");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
  script_require_ports(139, 445);

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('smb_func.inc');
include('smb_activex_func.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (activex_init() != ACX_OK) exit(1, 'activex_init() failed.');

clsids = make_list(
  "{2355C601-37D1-42B4-BEB1-03C773298DC8}",
  "{DE7DA0B5-7D7B-4CEA-8739-65CF600D511E}",
  "{F359732D-D020-40ED-83FF-F381EFE36B54}"
);

report = "";

foreach clsid (clsids)
{
  if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
  {
    file = activex_get_filename(clsid:clsid);
    if (!file) continue;

    # Get its version.
    version = activex_get_fileversion(clsid:clsid);
    if (!version) version = "Unknown";

    report +=
      '\n  Class identifier  : ' + clsid +
      '\n  Filename          : ' + file +
      '\n  Installed version : ' + version + '\n';
  }
}
activex_end();

if (report)
{
  if (report_paranoia > 1)
  {
    report +=
    '\n' +
    'Note, though, that Nessus did not check whether the kill bit was\n' +
    'set for each control\'s CLSID because of the Report Paranoia setting' + '\n' +
    'in effect when this scan was run.\n';
  }
  else
  {
    report +=
    '\n' +
    'Moreover, their kill bits are not set so they are accessible via Internet\n' +
    'Explorer.\n';
  }

  port = kb_smb_transport();
  if (report_verbosity > 0) security_hole(port:port, extra:report);
  else security_hole(port:port);
  exit(0);
}
else exit(0, "One or more affected controls were found but the kill bit was set on all of them.");

VendorProductVersionCPE
mw6techaztec_activex_controlcpe:/a:mw6tech:aztec_activex_control
mw6techdatamatrix_activex_controlcpe:/a:mw6tech:datamatrix_activex_control
mw6techmaxicode_activex_controlcpe:/a:mw6tech:maxicode_activex_control

Vendor	Product	CPE
mw6tech	aztec_activex_control	cpe:/a:mw6tech:aztec_activex_control
mw6tech	datamatrix_activex_control	cpe:/a:mw6tech:datamatrix_activex_control
mw6tech	maxicode_activex_control	cpe:/a:mw6tech:maxicode_activex_control