Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2008 SecPodOPENVAS:900132
HistorySep 26, 2008 - 12:00 a.m.

NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability

2008-09-2600:00:00
Copyright (C) 2008 SecPod
plugins.openvas.org
12

EPSS

0.458

Percentile

97.4%

JSON

The host is installed CDBurnerXP, which is prone to ActiveX control
based remote code execution vulnerability.

##############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl 7332 2017-09-29 14:16:56Z cfischer $
# Description: NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability
#
# Authors:
# Sharath S <[email protected]>
#
# Copyright:
# Copyright (C) 2008 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
##############################################################################

tag_impact = "Exploitation will cause Internet Explorer to restrict the webpage
  from running scripts and could overwrite files with arbitrary content.
  Impact Level : Application";

tag_solution = "Upgrade to CDBurnerXP Version 4.3.2 or later.
  For updates check, http://www.nugroovz.com/Downloads.aspx";

tag_affected = "CDBurnerXP versions 4.2.1.976 and prior on all platform";

tag_insight = "The flaw is due to an error in validating/sanitizing the input data
  sent to NMSDVDX.dll file.";


tag_summary = "The host is installed CDBurnerXP, which is prone to ActiveX control
  based remote code execution vulnerability.";

if(description)
{
  script_id(900132);
  script_version("$Revision: 7332 $");
  script_tag(name:"last_modification", value:"$Date: 2017-09-29 16:16:56 +0200 (Fri, 29 Sep 2017) $");
  script_tag(name:"creation_date", value:"2008-09-26 07:36:49 +0200 (Fri, 26 Sep 2008)");
  script_cve_id("CVE-2008-4342");
  script_bugtraq_id(31374);
  script_copyright("Copyright (C) 2008 SecPod");
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"registry");
  script_family("General");
  script_name("NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability");

  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/WindowsVersion");
  script_require_ports(139, 445);
  script_xref(name : "URL" , value : "http://cdburnerxp.se/en/home");
  script_xref(name : "URL" , value : "http://www.milw0rm.com/exploits/6491");
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "impact" , value : tag_impact);
  exit(0);
}

include("smb_nt.inc");
include("secpod_smb_func.inc");
 
if(!get_kb_item("SMB/WindowsVersion")){
  exit(0);
}
 
cdBurnerXpPath = registry_get_sz(item:"ImagePath",
                                 key:"SYSTEM\ControlSet001\Services\NMSAccessU");
if(!cdBurnerXpPath){
  exit(0);
}

cdBurnerXpPath = cdBurnerXpPath - "\NMSAccessU.exe" + "\cdbxpp.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:cdBurnerXpPath);
file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:cdBurnerXpPath);

name   =  kb_smb_name();
login  =  kb_smb_login();
pass   =  kb_smb_password();
domain =  kb_smb_domain();
port   =  kb_smb_transport();

soc = open_sock_tcp(port);
if(!soc){
  exit(0);
}

r = smb_session_request(soc:soc, remote:name);
if(!r){
   close(soc);
   exit(0);
}

prot = smb_neg_prot(soc:soc);
if(!prot){
  close(soc);
  exit(0);
}

r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
                      prot:prot);
if(!r){
  close(soc);
  exit(0);
}

uid = session_extract_uid(reply:r);
if(!uid){
  close(soc);
  exit(0);
}

r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
if(!r){
  close(soc);
  exit(0);
}

tid = tconx_extract_tid(reply:r);
if(!tid){
  close(soc);
  exit(0);
}

fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
if(!fid){
  close(soc);
  exit(0);
}

cdBurnerXpVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod");
close(soc);
 
# grep for versions 4.2.1.976 and prior
if(egrep(pattern:"^([0-3]\..*|4\.([01](\..*)?|2\.(0(\..*)?|1\.([0-8]?[0-9]?" +
		 "[0-9]|9[0-6][0-9]|97[0-6]))))$", string:cdBurnerXpVer)){
  security_message(0);
}

Related

cvelist 1
exploitdb 1
openvas 3
prion 1
kaspersky 1
cve 1
nvd 1
cvelist
cvelist
CVE-2008-4342
2008-09-30 17:00:00
exploitdb
exploitdb
NuMedia Soft Nms DVD Burning SDK - ActiveX &#039;NMSDVDX.dll&#039; Command Execution
2008-09-19 00:00:00
openvas
openvas
NuMedia Soft DVD Burning SDK Activex Control RCE Vulnerability
2008-09-26 00:00:00
Detection of Dangerous ActiveX Control
2009-02-04 00:00:00
Detection of Dangerous ActiveX Control
2009-02-04 00:00:00
prion
prion
Remote code execution
2008-09-30 17:22:00
kaspersky
kaspersky
KLA10097 WLF vulnerability in CDBurnerXP
2008-09-30 00:00:00
cve
cve
CVE-2008-4342
2008-09-30 17:22:09
nvd
nvd
CVE-2008-4342
2008-09-30 17:22:09

EPSS

0.458

Percentile

97.4%

JSON
Related for OPENVAS:900132
cvelist1exploitdb1openvas3prion1kaspersky1cve1nvd1