Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.YGP_ACTIVEX_OVERFLOW.NASL
HistoryJan 18, 2006 - 12:00 a.m.

AOL You've Got Pictures ActiveX Control (YGPPicFinder.DLL) Overflow

2006-01-1800:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
7
JSON

The remote host contains an ActiveX control from AOL called YPG Picture Finder Tool. It was distributed along with various versions of AOL’s client software and from the You’ve Got Pictures website prior to 2004. The ‘YGPPicFinder.DLL’ component of this control fails to limit the amount of user-supplied data copied to a finite buffer. This can be exploited using a specially crafted web page, for example to overflow the buffer, crash the application using the control (typically Internet Explorer), and possibly execute arbitrary code subject to the user’s privileges.

#
#  (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(20737);
  script_version("1.21");
 script_cvs_date("Date: 2018/08/07 16:46:51");

  script_cve_id("CVE-2006-0316");
  script_bugtraq_id(16262);
  script_xref(name:"CERT", value:"715730");

  script_name(english:"AOL You've Got Pictures ActiveX Control (YGPPicFinder.DLL) Overflow");
  script_summary(english:"Checks for overflow vulnerability in AOL You've Got Pictures ActiveX control");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by a
buffer overflow vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote host contains an ActiveX control from AOL called YPG
Picture Finder Tool. It was distributed along with various versions of
AOL's client software and from the You've Got Pictures website prior
to 2004. The 'YGPPicFinder.DLL' component of this control fails to
limit the amount of user-supplied data copied to a finite buffer. This
can be exploited using a specially crafted web page, for example to
overflow the buffer, crash the application using the control
(typically Internet Explorer), and possibly execute arbitrary code
subject to the user's privileges.");
 script_set_attribute(attribute:"see_also", value:"http://download.newaol.com/security/YGPClean.exe");
 script_set_attribute(attribute:"solution", value:"Download and run AOL's removal tool.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/16");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/18");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:aol:aol_client_software");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("audit.inc");


# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1) {
  NetUseDel();
  exit(0);
}


name = NULL;
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm)) {
  NetUseDel();
  exit(0);
}


# Determine if the control is installed.
clid = "B33CCD56-0909-42C9-8A88-8976F66B8BF2";
key = "SOFTWARE\Classes\CLSID\{" + clid +  "}";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h)) {
  value = RegQueryValue(handle:key_h, item:NULL);
  if (!isnull(value))
    name = value[1];
  else
    name = NULL;

  RegCloseKey(handle:key_h);
}
else name = NULL;


# If it is...
if (name) {
  # Determine where it's installed.
  key = "SOFTWARE\Classes\CLSID\{" + clid + "}\InprocServer32";
  key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
  if (!isnull(key_h)) {
    value = RegQueryValue(handle:key_h, item:NULL);
    if (!isnull(value)) {
      if (value[1] =~ "YGPPicFinder") file = value[1];
    }
    RegCloseKey(handle:key_h);
  }

  # Generate the report.
  if (file ) {
    report = string(
      "The YPG Picture Finder Tool ActiveX control is installed as \n",
      "\n",
      "  ") + file + '\n';
      security_hole(port:port, extra: report);
  }

}


# Clean up.
RegCloseKey(handle:hklm);
NetUseDel();
VendorProductVersionCPE
aolaol_client_softwarecpe:/a:aol:aol_client_software

Related

cve 1
prion 1
cve
cve
CVE-2006-0316
2006-01-19 01:03:00
prion
prion
Buffer overflow
2006-01-19 01:03:00
JSON
Related for YGP_ACTIVEX_OVERFLOW.NASL
cve1prion1