Lucene search
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.SONICWALL_NELX_ACTIVEX_OVERFLOW.NASLHistoryNov 03, 2007 - 12:00 a.m.
SonicWALL SSL-VPN NetExtender NELaunchCtrl ActiveX Control Multiple Overflows
2007-11-0300:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
28
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.846 High
EPSS
Percentile
98.5%
The remote host contains the ‘NELaunchCtrl’ ActiveX control included with the SonicWALL NetExtender VPN client software.
The version of this control installed on the remote host fails to validate arguments to several methods, such as ‘AddRouteEntry’, ‘serverAddress’, ‘sessionId’, ‘clientIPLower’, etc. If a remote attacker can trick a user on the affected host into visiting a specially crafted web page, the attacker could leverage these issues to overflow a buffer and execute arbitrary code on the host subject to the user’s privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(27618);
script_version("1.20");
script_cve_id("CVE-2007-5603", "CVE-2007-5814");
script_bugtraq_id(26288);
script_xref(name:"CERT", value:"298521");
script_name(english:"SonicWALL SSL-VPN NetExtender NELaunchCtrl ActiveX Control Multiple Overflows");
script_summary(english:"Checks version of NELaunchCtrl ActiveX control");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by
buffer overflow vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host contains the 'NELaunchCtrl' ActiveX control included
with the SonicWALL NetExtender VPN client software.
The version of this control installed on the remote host fails to
validate arguments to several methods, such as 'AddRouteEntry',
'serverAddress', 'sessionId', 'clientIPLower', etc. If a remote
attacker can trick a user on the affected host into visiting a
specially crafted web page, the attacker could leverage these issues
to overflow a buffer and execute arbitrary code on the host subject to
the user's privileges." );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483097/30/0/threaded" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/Nov/12");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.1.0.51 / 2.5.0.56 or later of the control." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value: "2007/11/03");
script_set_attribute(attribute:"vuln_publication_date", value: "2007/11/01");
script_cvs_date("Date: 2018/11/15 20:50:28");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe",value:"cpe:/a:sonicwall:ssl_vpn");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);
clsid = "{6EEFD7B1-B26C-440D-B55A-1EC677189F30}";
file = activex_get_filename(clsid:clsid);
if (file)
{
# Check its version.
ver = activex_get_fileversion(clsid:clsid);
if (
ver &&
(
ver =~ "^[01]\." ||
(
ver =~ "^2\.1\." &&
activex_check_fileversion(clsid:clsid, fix:"2.1.0.51") == TRUE
) ||
(
ver =~ "^2\.5\." &&
activex_check_fileversion(clsid:clsid, fix:"2.5.0.56") == TRUE
)
)
)
{
report = NULL;
if (report_paranoia > 1)
report = string(
"Version ", ver, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Note, though, that Nessus did not check whether the kill bit was\n",
"set for the control's CLSID because of the Report Paranoia setting\n",
"in effect when this scan was run.\n"
);
else if (activex_get_killbit(clsid:clsid) == 0)
report = string(
"Version ", ver, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Moreover, its kill bit is not set so it is accessible via Internet\n",
"Explorer.\n"
);
if (report) security_hole(port:kb_smb_transport(), extra:report);
}
}
activex_end();
Related
nvd
nvd
CVE-2007-5814
2007-11-05 18:46:00
CVE-2007-5603
2007-11-05 18:46:00
prion
prion
Buffer overflow
2007-11-05 18:46:00
Stack overflow
2007-11-05 18:46:00
cve
cve
CVE-2007-5814
2007-11-05 18:46:00
CVE-2007-5603
2007-11-05 18:46:00
cvelist
cvelist
CVE-2007-5814
2007-11-05 18:00:00
CVE-2007-5603
2007-11-05 18:00:00
cert
cert
SonicWall NetExtender NELaunchCtrl ActiveX control stack buffer overflow
2007-11-02 00:00:00
checkpoint_advisories
checkpoint_advisories
packetstorm
packetstorm
SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
2009-11-26 00:00:00
9.3 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.846 High
EPSS
Percentile
98.5%
Related for SONICWALL_NELX_ACTIVEX_OVERFLOW.NASL