Search...

MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)

2007-09-11T00:00:00

ID SMB_NT_MS07-051.NASL
Type nessus
Reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

The remote version of Windows contains a flaw in the Microsoft Agent service that may allow an attacker to execute code on the remote host.

To exploit this flaw, an attacker would need to set up a rogue website and lure a victim on the remote host into visiting it.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(26017);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-3040");
 script_bugtraq_id(25566);
 script_xref(name:"MSFT", value:"MS07-051");
 script_xref(name:"MSKB", value:"938827");
 
 script_xref(name:"CERT", value:"716872");
 script_xref(name:"EDB-ID", value:"30567");

 script_name(english:"MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)");
 script_summary(english:"Determines the presence of update 938827");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the web or
email client.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a flaw in the Microsoft Agent
service that may allow an attacker to execute code on the remote host.

To exploit this flaw, an attacker would need to set up a rogue website
and lure a victim on the remote host into visiting it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-051");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_cwe_id(119);

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/09/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/09/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-051';
kb = "938827";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5') &lt;= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (hotfix_is_vulnerable(os:"5.0", file:"Agentdpv.dll", version:"2.0.0.3426", dir:"\msagent", bulletin:bulletin, kb:kb))
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

JSON Vulners Source

Initial Source

{"id": "SMB_NT_MS07-051.NASL", "bulletinFamily": "scanner", "title": "MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)", "description": "The remote version of Windows contains a flaw in the Microsoft Agent\nservice that may allow an attacker to execute code on the remote host.\n\nTo exploit this flaw, an attacker would need to set up a rogue website\nand lure a victim on the remote host into visiting it.", "published": "2007-09-11T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/26017", "reporter": "This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-051"], "cvelist": ["CVE-2007-3040"], "type": "nessus", "lastseen": "2021-01-01T05:43:25", "edition": 25, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3040"]}, {"type": "saint", "idList": ["SAINT:DEC3B30CBF6D621ABEB3E6DAFB87EAC3", "SAINT:72EEF480A598A25581C664A75CD6E689", "SAINT:34D39E13495D4380D8089D440BE3BB1D"]}, {"type": "osvdb", "idList": ["OSVDB:36934"]}, {"type": "cert", "idList": ["VU:716872"]}, {"type": "exploitdb", "idList": ["EDB-ID:30567"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8136", "SECURITYVULNS:DOC:17983", "SECURITYVULNS:DOC:17979", "SECURITYVULNS:DOC:17984"]}, {"type": "canvas", "idList": ["MS07_051"]}, {"type": "seebug", "idList": ["SSV:2212"]}], "modified": "2021-01-01T05:43:25", "rev": 2}, "score": {"value": 8.2, "vector": "NONE", "modified": "2021-01-01T05:43:25", "rev": 2}, "vulnersScore": 8.2}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26017);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2007-3040\");\n script_bugtraq_id(25566);\n script_xref(name:\"MSFT\", value:\"MS07-051\");\n script_xref(name:\"MSKB\", value:\"938827\");\n \n script_xref(name:\"CERT\", value:\"716872\");\n script_xref(name:\"EDB-ID\", value:\"30567\");\n\n script_name(english:\"MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)\");\n script_summary(english:\"Determines the presence of update 938827\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the web or\nemail client.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Windows contains a flaw in the Microsoft Agent\nservice that may allow an attacker to execute code on the remote host.\n\nTo exploit this flaw, an attacker would need to set up a rogue website\nand lure a victim on the remote host into visiting it.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-051\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows 2000.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-051';\nkb = \"938827\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (hotfix_is_vulnerable(os:\"5.0\", file:\"Agentdpv.dll\", version:\"2.0.0.3426\", dir:\"\\msagent\", bulletin:bulletin, kb:kb))\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "naslFamily": "Windows : Microsoft Bulletins", "pluginID": "26017", "cpe": ["cpe:/o:microsoft:windows"], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:45:52", "description": "Stack-based buffer overflow in agentdpv.dll 2.0.0.3425 in Microsoft Agent on Windows 2000 SP4 allows remote attackers to execute arbitrary code via a crafted URL to the Agent (Agent.Control) ActiveX control, which triggers an overflow within the Agent Service (agentsrv.exe) process, a different issue than CVE-2007-1205.", "edition": 3, "cvss3": {}, "published": "2007-09-12T01:17:00", "title": "CVE-2007-3040", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3040"], "modified": "2018-10-16T16:47:00", "cpe": ["cpe:/o:microsoft:windows_2000:*"], "id": "CVE-2007-3040", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3040", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:01", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "description": "Added: 09/11/2007 \nCVE: [CVE-2007-3040](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3040>) \nBID: [25566](<http://www.securityfocus.com/bid/25566>) \nOSVDB: [36934](<http://www.osvdb.org/36934>) \n\n\n### Background\n\n[Microsoft Agent](<http://www.microsoft.com/msagent/>) is a component of the Windows operating system designed to make using a computer easier through enriched user interaction. \n\n### Problem\n\nA vulnerability in Microsoft Agent allows command execution when a user loads a web page which calls the Microsoft Agent ActiveX control with a specially crafted URL. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 07-051](<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 1, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SAINT:34D39E13495D4380D8089D440BE3BB1D", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/microsoft_agent_url", "type": "saint", "title": "Microsoft Agent crafted URL vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "edition": 2, "description": "Added: 09/11/2007 \nCVE: [CVE-2007-3040](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3040>) \nBID: [25566](<http://www.securityfocus.com/bid/25566>) \nOSVDB: [36934](<http://www.osvdb.org/36934>) \n\n\n### Background\n\n[Microsoft Agent](<http://www.microsoft.com/msagent/>) is a component of the Windows operating system designed to make using a computer easier through enriched user interaction. \n\n### Problem\n\nA vulnerability in Microsoft Agent allows command execution when a user loads a web page which calls the Microsoft Agent ActiveX control with a specially crafted URL. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 07-051](<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_agent_url", "id": "SAINT:DEC3B30CBF6D621ABEB3E6DAFB87EAC3", "title": "Microsoft Agent crafted URL vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "description": "Added: 09/11/2007 \nCVE: [CVE-2007-3040](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3040>) \nBID: [25566](<http://www.securityfocus.com/bid/25566>) \nOSVDB: [36934](<http://www.osvdb.org/36934>) \n\n\n### Background\n\n[Microsoft Agent](<http://www.microsoft.com/msagent/>) is a component of the Windows operating system designed to make using a computer easier through enriched user interaction. \n\n### Problem\n\nA vulnerability in Microsoft Agent allows command execution when a user loads a web page which calls the Microsoft Agent ActiveX control with a specially crafted URL. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 07-051](<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>). \n\n### References\n\n<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx> \n\n\n### Limitations\n\nExploit works on Windows 2000 SP4 and requires a user to load the exploit page in Internet Explorer. \n\n### Platforms\n\nWindows 2000 \n \n\n", "edition": 4, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SAINT:72EEF480A598A25581C664A75CD6E689", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_agent_url", "title": "Microsoft Agent crafted URL vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "bulletinFamily": "software", "cvelist": ["CVE-2007-3040"], "description": "## Vulnerability Description\nA remote overflow exists in Microsoft Windows 2000 Agent ActiveX control. The ActiveX control fails to sanitize URLs passed as argument to a certain unspecified method, resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Microsoft Windows 2000 Agent ActiveX control. The ActiveX control fails to sanitize URLs passed as argument to a certain unspecified method, resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## References:\n[Secunia Advisory ID:26753](https://secuniaresearch.flexerasoftware.com/advisories/26753/)\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=592\nOther Advisory URL: http://securityreason.com/securityalert/3124\nOVAL ID: 2116\nMicrosoft Security Bulletin: MS07-051\nMicrosoft Knowledge Base Article: 938827\nMail List Post: http://www.securityfocus.com/archive/1/archive/1/479096/100/0/threaded\nISS X-Force ID: 35752\nFrSIRT Advisory: ADV-2007-3113\n[CVE-2007-3040](https://vulners.com/cve/CVE-2007-3040)\nCERT VU: 716872\n", "edition": 1, "modified": "2007-09-11T14:17:13", "published": "2007-09-11T14:17:13", "href": "https://vulners.com/osvdb/OSVDB:36934", "id": "OSVDB:36934", "title": "Microsoft Agent URL Handling Remote Code Execution", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:42:33", "bulletinFamily": "info", "cvelist": ["CVE-2007-3040"], "description": "### Overview \n\nMicrosoft Agent fails to properly handle specially crafted URLs, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system\n\n### Description \n\nMicrosoft Agent is software that provides animated characters to enhance interaction with computer systems. Microsoft Agent comes with Microsoft Windows systems. Microsoft Agent functionality is exposed as an ActiveX control that can be used by web pages. Microsoft Agent fails to properly handle specially crafted URLs, which can result in memory corruption.\n\nAccording to [public reports](<http://www.pcworld.com/article/id,137166-c,hackers/article.html>), exploit code is availabe for this vulnerability. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause the web browser to crash. \n \nMore information is available in Microsoft Security Bulletin [MS07-051](<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>). \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in Microsoft Security Bulletin [MS07-051](<http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>). \n \n--- \n \n \n**Disable the Microsoft Agent ActiveX controls in Internet Explorer** \n \nThe vulnerable ActiveX controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:\n\n`{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F} \n{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5} \n{4BAC124B-78C8-11D1-B9A8-00C04FD97575} \n{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F} \n{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}` \nMore information about how to set the kill bit is available in [_Microsoft Support Document 240797_](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a` ``.REG` file and imported to set the kill bit for this control: \n \n`Windows Registry Editor Version 5.00`` \n`` \n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}] \n\"Compatibility Flags\"=dword:00000400`` \n`` \n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}] \n\"Compatibility Flags\"=dword:00000400`` \n`` \n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}] \n\"Compatibility Flags\"=dword:00000400`` \n`` \n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}] \n\"Compatibility Flags\"=dword:00000400`` \n`` \n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}] \n\"Compatibility Flags\"=dword:00000400` \n**Unregister AgentSvr.exe** \n \nThe Microsoft Agent ActiveX controls interact with the Microsoft Agent Server (AgentSvr.exe) to provide Agent functionality. The Microsoft Agent Server can be unregistered to mitigate this vulnerability by running the following command: \n \n`%windir%\\msagent\\agentsvr.exe /unregserver` \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[_Securing Your Web Browser_](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>)\" document. \n \n--- \n \n### Vendor Information\n\n716872\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: September 11, 2007 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23716872 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx>\n * <http://secunia.com/advisories/26753/>\n * <http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=592>\n * <http://www.pcworld.com/article/id,137166-c,hackers/article.html>\n\n### Acknowledgements\n\nThis vulnerability was publicly disclosed in Microsoft Security Bulletin MS07-051. Microsoft in turn credits the Vulnerability Research team of Assurent Secure Technologies, Yamata Li of Palo Alto Networks, and An anonymous researcher working with VeriSign iDefense VCP.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-3040](<http://web.nvd.nist.gov/vuln/detail/CVE-2007-3040>) \n---|--- \n**Date Public:** | 2007-09-11 \n**Date First Published:** | 2007-09-11 \n**Date Last Updated: ** | 2007-09-14 13:56 UTC \n**Document Revision: ** | 13 \n", "modified": "2007-09-14T13:56:00", "published": "2007-09-11T00:00:00", "id": "VU:716872", "href": "https://www.kb.cert.org/vuls/id/716872", "type": "cert", "title": "Microsoft Agent fails to properly handle specially crafted URLs", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T12:37:40", "description": "Microsoft Agent agentdpv.dll ActiveX Control Malformed URL Stack Buffer Overflow Vulnerability. CVE-2007-3040. Remote exploit for windows platform", "published": "2007-09-11T00:00:00", "type": "exploitdb", "title": "Microsoft Agent agentdpv.dll ActiveX Control Malformed URL Stack Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "modified": "2007-09-11T00:00:00", "id": "EDB-ID:30567", "href": "https://www.exploit-db.com/exploits/30567/", "sourceData": "source: http://www.securityfocus.com/bid/25566/info\r\n\r\nMicrosoft Agent (agentsvr.exe) is prone to a stack-based buffer-overflow vulnerability because the application fails to adequately bounds-check user-supplied data.\r\n\r\nSuccessfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions. \r\n\r\n<script language=\"javascript\">\r\nfunction document::OnClick() {\r\n var agent, character, url;\r\n agent = new ActiveXObject(\"Agent.Control.2\");\r\n agent.connected = true;\r\n agent.Characters.Load(\"Genie\", \"http:///\");\r\n character = agent.Characters.Character(\"Genie\");\r\n character.Show();\r\n character.Think (\"brazil owns!\");\r\n character.Speak('brazil owns!');\r\n character.Play('Processing');\r\n}\r\n</script>", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/30567/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-3040"], "description": "Microsoft Security Bulletin MS07-051 - Critical\r\nVulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)\r\nPublished: September 11, 2007\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis critical security update resolves a privately reported vulnerability. A remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis is a critical security update for Microsoft Windows 2000 Service Pack 4. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by changing the way Microsoft Agent handles specially crafted URLs. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update immediately.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe software listed here have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by This Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nMS07-020\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nWindows XP Service Pack 2\r\n\r\nWindows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 Service Pack 1 and Server 2003 Service Pack 2\r\n\r\nWindows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems\r\n\r\nWindows Vista\r\n\r\nWindows Vista x64 Edition\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\nAffected Software\tAgent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nCritical\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\nTop of sectionTop of section\r\n\t\r\nAgent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\r\nA remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. The vulnerability could allow an attacker to remotely execute code on the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3040.\r\n\t\r\nMitigating Factors for Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nThe Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, they could still be vulnerable to this issue through the Web-based attack scenario.\r\n\u2022\t\r\n\r\nBy default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps reduce attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail. However, if a user clicks on a link within an e-mail they could still be vulnerable to this issue through the Web-based attack scenario.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nTemporarily prevent the Agent ActiveX control from running in Internet Explorer\r\n\r\nYou can help prevent attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use the Registry Editor at your own risk.\r\n\r\nFor detailed steps that you can use to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps in this article to create a Compatibility Flags value in the registry to prevent a COM object from being instantiated in Internet Explorer.\r\n\r\nTo set the kill bit for a CLSID with a value of {D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.\r\n\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\nYou can apply this .reg file to individual systems by double-clicking it. You can also apply it across domains by using Group Policy. For more information about Group Policy, visit the following Microsoft Web sites:\r\n\u2022\t\r\n\r\nGroup Policy collection\r\n\u2022\t\r\n\r\nWhat is Group Policy Object Editor?\r\n\u2022\t\r\n\r\nCore Group Policy tools and settings\r\n\r\nNote You must restart Internet Explorer for your changes to take effect.\r\n\r\nImpact of workaround: Web sites that use the Microsoft Agent ActiveX Control will no longer work correctly via Internet Explorer.\r\n\u2022\t\r\n\r\nUnregister AgentSvr.exe\r\n\r\nEnter the following at a command line or in a logon or machine startup script:\r\n\r\n%windir%\msagent\agentsvr.exe /unregserver\r\n\r\nImpact of workaround: Microsoft Agent will no longer work.\r\n\u2022\t\r\n\r\nConfigure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone.\r\n\r\nYou can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Internet Options on the Tools menu.\r\n\r\n2.\r\n\t\r\n\r\nClick the Security tab.\r\n\r\n3.\r\n\t\r\n\r\nClick Internet, and then click Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the steps outlined in "Add sites that you trust to the Internet Explorer Trusted sites zone\u201d.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your computer. To continue receiving security updates from Microsoft, add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and you must have an ActiveX Control to install the update.\r\n\u2022\t\r\n\r\nSet Internet and Local intranet security zone settings to \u201cHigh\u201d to prompt before running ActiveX Controls and Active Scripting in these zones\r\n\r\nYou can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Microsoft Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the steps outlined in \u201cAdd sites that you trust to the Internet Explorer Trusted sites zone\u201d.\r\n\r\nAdd sites that you trust to the Internet Explorer Trusted sites zone\r\n\r\nAfter you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.\r\n\r\nTo do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nIn Internet Explorer, click Tools, click Internet Options, and then click the Security tab.\r\n\r\n2.\r\n\t\r\n\r\nIn the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.\r\n\r\n3.\r\n\t\r\n\r\nIf you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.\r\n\r\n4.\r\n\t\r\n\r\nIn the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.\r\n\r\n5.\r\n\t\r\n\r\nRepeat these steps for each site that you want to add to the zone.\r\n\r\n6.\r\n\t\r\n\r\nClick OK two times to accept the changes and return to Internet Explorer.\r\n\r\nNote Add any sites that you trust not to take malicious action on your computer. To continue receiving security updates from Microsoft, add are *.windowsupdate.microsoft.com and *.update.microsoft.com. These are the sites that will host the update, and you must have an ActiveX Control to install the update.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\r\nWhat is the scope of the vulnerability? \r\nA remote code execution vulnerability exists in Microsoft Agent in the way that it handles certain specially crafted URLs. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nSupplying a specially crafted URL to the Microsoft Agent ActiveX control could corrupt system memory so that an attacker could execute arbitrary code.\r\n\r\nWhat is Microsoft Agent? \r\nMicrosoft Agent is a component of the Microsoft Windows operating system that uses interactive animated characters to guide users and can make using and learning to use a computer easier. For more information, see the Microsoft Agent Web site.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWho could exploit the vulnerability? \r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted Web site. Instead, an attacker would have to convince them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nThis vulnerability requires that a user is logged on and visits a Web site for any malicious action to occur. Any systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update removes the vulnerability by changing the way Microsoft Agent handles specially crafted URLs.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nThe Vulnerability Research team of Assurent Secure Technologies for reporting the Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\u2022\t\r\n\r\nYamata Li of Palo Alto Networks for reporting the Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\n\u2022\t\r\n\r\nAn anonymous researcher working with VeriSign iDefense VCP for reporting the Agent Remote Code Execution Vulnerability \u2013 CVE-2007-3040\r\nTop of sectionTop of section\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\nTop of sectionTop of section\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (August 14, 2007): Bulletin published.", "edition": 1, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SECURITYVULNS:DOC:17979", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17979", "title": "Microsoft Security Bulletin MS07-051 - Critical Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-3040"], "description": "Microsoft Windows 2000 Agent URL Canonicalizing Stack Based Buffer\r\nOverflow Vulnerability\r\n\r\niDefense Security Advisory 09.11.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nSep 11, 2007\r\n\r\nI. BACKGROUND\r\n\r\nMicrosoft Agent allows websites and programs to display animated\r\ncharacters that speak and move around the screen. The Microsoft Office\r\n"Clippy" character, the animated paper clip, is an example of a\r\nMicrosoft agent character.\r\n\r\nAgents can be created through the web browser by loading and interacting\r\nwith an ActiveX control. Once this control is loaded it will start the\r\nAgent Service process, and pass requests from the browser to the\r\nservice. More information can be found at the following site.\r\n\r\nhttp://www.microsoft.com/msagent/default.asp\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a stack based buffer overflow vulnerability in\r\nMicrosoft Corp's Microsoft Windows 2000 Agent service could allow an\r\nattacker to execute arbitrary code with the privileges of the logged in\r\nuser.\r\n\r\nThe vulnerability exists within the Agent Service (agentsvr.exe). Due to\r\nimproper handling of specially crafted URLs, an attack can cause stack\r\nbased buffer overflow.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability results in arbitrary code execution\r\nwith the privileges of the logged in user. To exploit this\r\nvulnerability, an attacker would have to use social engineering\r\ntechniques to convince a user to visit a malicious website. No further\r\ninteraction is needed.\r\n\r\nWith default settings, Microsoft Outlook and Outlook Express can not be\r\nused to directly exploit this vulnerability. By default, Outlook and\r\nOutlook Express both run in Restricted mode which prevents Active\r\nContent from being loaded. However, an attacker could send an e-mail\r\nwith a link to a malicious website. By following this link a user is\r\nsusceptible to exploitation through the browser.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in the Agent\r\nservice included in Windows 2000. Microsoft reports that newer versions\r\nof the Agent service are not vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nSetting the kill bit for the following CLSID will prevent the control\r\nfrom loading in the browser:\r\n\r\n{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\r\n\r\nThis will not fix the vulnerability, but it will prevent it from being\r\nexploited through the web browser.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nMicrosoft has addressed this vulnerability within MS07-051. For more\r\ninformation, consult their bulletin at the following URL.\r\n\r\nhttp://www.microsoft.com/technet/security/Bulletin/MS07-051.mspx\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2007-3040 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n07/09/2007 Initial vendor notification\r\n07/09/2007 Initial vendor response\r\n09/11/2007 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "edition": 1, "modified": "2007-09-12T00:00:00", "published": "2007-09-12T00:00:00", "id": "SECURITYVULNS:DOC:17984", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17984", "title": "iDefense Security Advisory 09.11.07: Microsoft Windows 2000 Agent URL Canonicalizing Stack Based Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "cvelist": ["CVE-2007-3040"], "description": "Microsoft Agent Crafted URL Stack Buffer Overflow\r\n\r\nAssurent ID: FSC20070911-11 \r\n\r\n\r\n1. Affected Software\r\n\r\nMicrosoft Agent, version 2.0.0.3425 (bundled with Windows 2000 Service Pack 4)\r\n\r\nReference: http://www.microsoft.com/msagent/\r\n\r\n\r\n2. Vulnerability Summary\r\n\r\nThe Microsoft Agent ActiveX control contains a buffer overflow vulnerability that allows remote attackers to inject and execute arbitrary code with the privileges of the currently logged in user.\r\n\r\nThe affected ActiveX control is registered as below:\r\n\r\n File: agentdpv.dll\r\n ProgID: Agent.Control\r\n CLASSID: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F\r\n\r\n\r\n3. Vulnerability Analysis\r\n\r\nThe target user is enticed to view a malicious web page. The script in the web page calls a method of the affected ActiveX control with malicious arguments. A stack-based buffer will be overrun upon processing the malicious script.\r\n\r\nAssurent has confirmed that code execution is possible. The code in such a case would execute within the security context of the currently logged in user.\r\n\r\nIn an attack case where code injection is not successful, the affected application will terminate abnormally.\r\n\r\nNote that although this vulnerability is exploited through Internet Explorer, the affected application is the Microsoft Agent application.\r\n\r\n\r\n4. Vulnerability Detection\r\n\r\nAssurent has confirmed the vulnerability in Microsoft Agent shipped with Windows 2000 SP4. The confirmed vulnerable file version is 2.0.0.3425. Earlier versions may also be affected.\r\n\r\n\r\n5. Workaround\r\n\r\nSetting the kill bit for the vulnerable ActiveX control's CLSID will prevent this issue from being exploited via Internet Explorer. \r\n\r\n\r\n6. Vendor Response\r\n\r\nMicrosoft has released a bulletin addressing this vulnerability as part of the September 2007 update cycle.\r\nReference: http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx\r\n\r\n\r\n7. Disclosure Timeline\r\n\r\n 04/18/2007 Reported to vendor\r\n 04/23/2007 Initial vendor response\r\n 09/10/2007 Coordinated public disclosure\r\n\r\n8. Credits\r\n\r\nVulnerability Research Team, Assurent Secure Technologies, a TELUS company\r\n\r\n\r\n9. References\r\n\r\n CVE: CVE-2007-3040\r\n Vendor: MS07-051\r\n\r\n\r\n10. About Assurent VRS\r\n\r\nAssurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP) for MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors, MSPs, and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats including worm & virus outbreaks and high-risk spyware. The VRS and TPP services are real-time feeds providing subscribers with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers. \r\n\r\nhttp://www.assurent.com/", "edition": 1, "modified": "2007-09-11T00:00:00", "published": "2007-09-11T00:00:00", "id": "SECURITYVULNS:DOC:17983", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17983", "title": "Assurent VR - Microsoft Agent Crafted URL Stack Buffer Overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "cvelist": ["CVE-2007-3040"], "description": "Buffer overflow on oversized URL.", "edition": 1, "modified": "2007-09-12T00:00:00", "published": "2007-09-12T00:00:00", "id": "SECURITYVULNS:VULN:8136", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8136", "title": "Microsoft Agent ActiveX buffer overflow", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "description": "**Name**| ms07_051 \n---|--- \n**CVE**| CVE-2007-3040 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Microsoft Agent URL Overflow \n**Notes**| CVE Name: CVE-2007-3040 \nVENDOR: Microsoft \nMSADV: MS07-051 \nVersionsAffected: \nRepeatability: \nReferences: http://www.microsoft.com/technet/security/Bulletin/ms07-051.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3040 \nDate public: 09/11/07 \nCVSS: 9.3 \n\n", "edition": 2, "modified": "2007-09-12T01:17:00", "published": "2007-09-12T01:17:00", "id": "MS07_051", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms07_051", "type": "canvas", "title": "Immunity Canvas: MS07_051", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T21:59:14", "description": "BUGTRAQ ID: 25566\r\nCVE(CAN) ID: CVE-2007-3040\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nWindows\u64cd\u4f5c\u7cfb\u7edf\u6240\u5b89\u88c5\u7684Microsoft Agent ActiveX\u63a7\u4ef6\u7528\u4e8e\u4f7f\u7528\u52a8\u753b\u5b57\u7b26\u5f15\u5bfc\u7528\u6237\u4e86\u89e3\u5982\u4f55\u4f7f\u7528\u8ba1\u7b97\u673a\uff0c\u8be5ActiveX\u63a7\u4ef6\u6ce8\u518c\u5982\u4e0b\uff1a\r\n\r\n \u6587\u4ef6\uff1aagentdpv.dll\r\n ProgID\uff1aAgent.Control\r\n CLASSID\uff1aD45FD31B-5C6E-11D1-9EC1-00C04FD7081F\r\n\r\nMicrosoft Agent\u63a7\u4ef6\u5904\u7406\u67d0\u4e9b\u7279\u5236URL\u7684\u65b9\u5f0f\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5982\u679c\u7528\u6237\u53d7\u9a97\u8bbf\u95ee\u4e86\u6076\u610f\u7f51\u9875\u7684\u8bdd\u653b\u51fb\u8005\u5c31\u53ef\u4ee5\u5728\u53d7\u5f71\u54cd\u7684\u7cfb\u7edf\u4e0a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u90a3\u4e9b\u5e10\u6237\u88ab\u914d\u7f6e\u4e3a\u62e5\u6709\u8f83\u5c11\u7cfb\u7edf\u7528\u6237\u6743\u9650\u7684\u7528\u6237\u6bd4\u5177\u6709\u7ba1\u7406\u7528\u6237\u6743\u9650\u7684\u7528\u6237\u53d7\u5230\u7684\u5f71\u54cd\u8981\u5c0f\u3002\r\n\n\nMicrosoft Windows 2000SP4\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u963b\u6b62\u5728Internet Explorer\u4e2d\u8fd0\u884cAgent ActiveX\u63a7\u4ef6\uff0c\u5c06\u4ee5\u4e0b\u6587\u672c\u7c98\u8d34\u4e8e\u8bb0\u4e8b\u672c\u7b49\u6587\u672c\u7f16\u8f91\u5668\u4e2d\u3002\u7136\u540e\uff0c\u4f7f\u7528.reg\u6587\u4ef6\u6269\u5c55\u540d\u4fdd\u5b58\u6587\u4ef6\u5e76\u53cc\u51fb\u5bfc\u5165\u3002\r\n\r\nWindows Registry Editor Version 5.00\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{4BAC124B-78C8-11D1-B9A8-00C04FD97575}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31D-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{D45FD31E-5C6E-11D1-9EC1-00C04FD7081F}]\r\n\r\n"Compatibility Flags"=dword:00000400\r\n\r\n* \u6ce8\u9500AgentSvr.exe\uff0c\u5728\u547d\u4ee4\u884c\u5904\u6216\u8005\u5728\u767b\u5f55\u6216\u8ba1\u7b97\u673a\u542f\u52a8\u811a\u672c\u4e2d\u8f93\u5165\u4e0b\u5217\u547d\u4ee4\uff1a\r\n %windir%\\msagent\\agentsvr.exe /unregserver\r\n\r\n* \u5c06Internet Explorer\u914d\u7f6e\u4e3a\u5728Internet\u548c\u672c\u5730Intranet\u5b89\u5168\u533a\u57df\u4e2d\u8fd0\u884c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u8fdb\u884c\u63d0\u793a\u3002\r\n* \u5c06Internet\u548c\u672c\u5730intranet\u5b89\u5168\u533a\u8bbe\u7f6e\u4e3a\u201c\u9ad8\u201d\u4ee5\u5728\u8fd0\u884cActiveX\u63a7\u4ef6\u548c\u6d3b\u52a8\u811a\u672c\u4e4b\u524d\u8981\u6c42\u63d0\u793a\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS07-051\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS07-051\uff1aVulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)\r\n\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/Bulletin/MS07-051.mspx?pf=true\" target=\"_blank\">http://www.microsoft.com/technet/security/Bulletin/MS07-051.mspx?pf=true</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n<a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=7cd248ed-d154_4dce-89ef-ceefd2700965&displaylang=en\" target=\"_blank\">http://www.microsoft.com/downloads/details.aspx?FamilyId=7cd248ed-d154_4dce-89ef-ceefd2700965&displaylang=en</a>", "published": "2007-09-12T00:00:00", "title": "Microsoft Agent agentdpv.dll ActiveX\u63a7\u4ef6\u7578\u5f62URL\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff08MS07-051\uff09", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-3040"], "modified": "2007-09-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2212", "id": "SSV:2212", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}]}

MS07-051: Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)

Description

The remote version of Windows contains a flaw in the Microsoft Agent service that may allow an attacker to execute code on the remote host. To exploit this flaw, an attacker would need to set up a rogue website and lure a victim on the remote host into visiting it.

The remote version of Windows contains a flaw in the Microsoft Agent service that may allow an attacker to execute code on the remote host.

To exploit this flaw, an attacker would need to set up a rogue website and lure a victim on the remote host into visiting it.