Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability
2013-05-10T00:00:00
ID ZDI-13-065 Type zdi Reporter c1d2d9acc746ae45eeb477b97fa74688 Modified 2013-11-09T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.
{"enchantments": {"vulnersScore": 9.3}, "edition": 2, "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-065", "modified": "2013-11-09T00:00:00", "published": "2013-05-10T00:00:00", "history": [{"differentElements": ["modified"], "edition": 1, "lastseen": "2016-09-04T11:33:45", "bulletin": {"published": "2013-05-10T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-065", "modified": "2013-09-04T00:00:00", "edition": 1, "history": [], "bulletinFamily": "info", "viewCount": 0, "objectVersion": "1.2", "hash": "25fe2f0af637c2a947c8fb7e04dbf2e8f1d13809ac2e12c8226170a191c8524f", "title": "Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-029"], "cvelist": ["CVE-2013-1296"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.", "type": "zdi", "id": "ZDI-13-065", "lastseen": "2016-09-04T11:33:45", "reporter": "c1d2d9acc746ae45eeb477b97fa74688", "hashmap": [{"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}, {"hash": "de25676891f23b04ab869e6e7840e9a3", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "4c9bb1dcbf696bc255481ded310eeba3", "key": "title"}, {"hash": "57baa7bd33e9a42a11526a63dc32bdca", "key": "href"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "5cda424f9f398c331477b6cb93b960c7", "key": "published"}, {"hash": "dd7766abf0d4322c692ea9f72670a80d", "key": "reporter"}, {"hash": "d06152115dc2b7456b806ae7b0fe9acd", "key": "references"}, {"hash": "8ad3ab98669e25e6994b50a38e0dcbe7", "key": "description"}, {"hash": "9c7d000161441bfb23b08402d897624a", "key": "cvelist"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}}], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within Remote Desktop ActiveX control. By manipulating TransportSettings or AdvancedSettings, an attacker can force a dangling pointer to be reused after it has been freed. An attacker can leverage this to gain code execution in the context of the current user.", "bulletinFamily": "info", "viewCount": 0, "objectVersion": "1.2", "hash": "5a7376b435f38f49a18b97106888705bb9dfebf9099e7b78c81767a84388056b", "title": "Microsoft Internet Explorer RDP ActiveX Control Remote Code Execution Vulnerability", "references": ["http://technet.microsoft.com/en-us/security/bulletin/ms13-029"], "cvelist": ["CVE-2013-1296"], "type": "zdi", "id": "ZDI-13-065", "lastseen": "2016-11-09T00:17:59", "reporter": "c1d2d9acc746ae45eeb477b97fa74688", "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "9c7d000161441bfb23b08402d897624a", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "8ad3ab98669e25e6994b50a38e0dcbe7", "key": "description"}, {"hash": "57baa7bd33e9a42a11526a63dc32bdca", "key": "href"}, {"hash": "b7fd0bad9a3db89554b13b658b53fddb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "5cda424f9f398c331477b6cb93b960c7", "key": "published"}, {"hash": "d06152115dc2b7456b806ae7b0fe9acd", "key": "references"}, {"hash": "dd7766abf0d4322c692ea9f72670a80d", "key": "reporter"}, {"hash": "4c9bb1dcbf696bc255481ded310eeba3", "key": "title"}, {"hash": "3dd086b59554fe33c1b8f051475b4b31", "key": "type"}], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}
{"result": {"cve": [{"id": "CVE-2013-1296", "type": "cve", "title": "CVE-2013-1296", "description": "The Remote Desktop ActiveX control in mstscax.dll in Microsoft Remote Desktop Connection Client 6.1 and 7.0 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a web page that triggers access to a deleted object, and allows remote RDP servers to execute arbitrary code via unspecified vectors that trigger access to a deleted object, aka \"RDP ActiveX Control Remote Code Execution Vulnerability.\"", "published": "2013-04-09T18:55:01", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1296", "cvelist": ["CVE-2013-1296"], "lastseen": "2017-09-19T13:38:39"}], "symantec": [{"id": "SMNTC-58874", "type": "symantec", "title": "Microsoft Remote Desktop ActiveX Control CVE-2013-1296 Remote Code Execution Vulnerability", "description": "### Description\n\nThe Microsoft Remote Desktop ActiveX control is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.\n\n### Technologies Affected\n\n * Avaya Aura Conferencing 6.0 SP1 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya CallPilot \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Communication Server 1000 Telephony Manager \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server MM 1.1 \n * Microsoft RDP 6.1 \n * Microsoft RDP 7.0 \n * Microsoft Windows 7 for 32-bit Systems \n * Microsoft Windows 7 for x64-based Systems \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2003 SP2 \n * Microsoft Windows Server 2003 x64 SP2 \n * Microsoft Windows Server 2008 R2 Itanium SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems R2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista Ultimate 64-bit edition SP2 \n * Microsoft Windows XP Professional x64 Edition SP2 \n * Microsoft Windows XP Service Pack 3 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nNever accept files from untrusted or unknown sources, because they may be malicious in nature. Avoid opening email attachments from unknown or questionable sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nAttackers could exploit this vulnerability by enticing a user to visit a malicious website. Do not follow links provided by sources of questionable integrity.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "published": "2013-04-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58874", "cvelist": ["CVE-2013-1296"], "lastseen": "2018-03-12T10:28:22"}], "seebug": [{"id": "SSV:60731", "type": "seebug", "title": "Microsoft Remote Desktop ActiveX\u63a7\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1296)(MS13-029)", "description": "BUGTRAQ ID: 58874\r\nCVE(CAN) ID: CVE-2013-1296\r\n\r\n\u8fdc\u7a0b\u684c\u9762\u534f\u8bae\uff08RDP, Remote Desktop Protocol\uff09\u662f\u4e00\u4e2a\u591a\u901a\u9053\uff08multi-channel\uff09\u7684\u534f\u8bae\uff0c\u8ba9\u7528\u6237\uff08\u5ba2\u6237\u7aef\u6216\u79f0\u201c\u672c\u5730\u7535\u8111\u201d\uff09\u8fde\u4e0a\u63d0\u4f9b\u5fae\u8f6f\u7ec8\u7aef\u673a\u670d\u52a1\u7684\u7535\u8111\uff08\u670d\u52a1\u5668\u7aef\u6216\u79f0\u201c\u8fdc\u7a0b\u7535\u8111\u201d\uff09\u3002\r\n\r\n\u5f53\u8fdc\u7a0b\u684c\u9762 ActiveX \u63a7\u4ef6 mstscax.dll \u5c1d\u8bd5\u8bbf\u95ee\u5185\u5b58\u4e2d\u5df2\u88ab\u5220\u9664\u7684\u5bf9\u8c61\u65f6\uff0c\u5b58\u5728\u4e00\u4e2a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u8bbf\u95ee\u7279\u5236\u7f51\u9875\u6765\u5229\u7528\u8be5\u6f0f\u6d1e\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u83b7\u5f97\u4e0e\u767b\u5f55\u7528\u6237\u76f8\u540c\u7684\u7528\u6237\u6743\u9650\u3002\r\n0\r\nMicrosoft Windows XP\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows Server 2003\r\nMicrosoft Windows 7\r\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0c\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u9650\u5236\u5bf9 mstscax.dll \u7684\u8bbf\u95ee\r\n* \u7981\u6b62\u8fdc\u7a0b\u684c\u9762\u8fde\u63a5 ActiveX \u63a7\u4ef6\u5728 Internet Explorer \u4e2d\u8fd0\u884c\r\n* \u5c06 Internet \u548c\u672c\u5730 Intranet \u5b89\u5168\u533a\u57df\u8bbe\u7f6e\u8bbe\u4e3a\u201c\u9ad8\u201d\uff0c\u4ee5\u4fbf\u5728\u8fd9\u4e9b\u533a\u57df\u4e2d\u963b\u6b62 ActiveX \u63a7\u4ef6\u548c\u6d3b\u52a8\u811a\u672c\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS13-029\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS13-029\uff1aVulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)\r\n\u94fe\u63a5\uff1ahttp://technet.microsoft.com/security/bulletin/MS13-029", "published": "2013-04-11T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-60731", "cvelist": ["CVE-2013-1296"], "lastseen": "2017-11-19T17:45:39"}], "openvas": [{"id": "OPENVAS:1361412562310901217", "type": "openvas", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "published": "2013-04-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310901217", "cvelist": ["CVE-2013-1296"], "lastseen": "2018-04-06T11:22:58"}, {"id": "OPENVAS:901217", "type": "openvas", "title": "Microsoft RDP ActiveX Control Remote Code Execution Vulnerability (2828223)", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-029.", "published": "2013-04-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=901217", "cvelist": ["CVE-2013-1296"], "lastseen": "2017-07-02T21:11:17"}], "nessus": [{"id": "SMB_NT_MS13-029.NASL", "type": "nessus", "title": "MS13-029: Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)", "description": "The remote host contains a version of the Remote Desktop ActiveX control that is affected by a remote code execution vulnerability when attempting to access an object in memory that has been deleted.\n\nIf an attacker can trick a user on the affected system into opening a specially crafted webpage, this issue could be leveraged to execute arbitrary code subject to the user's privileges.", "published": "2013-04-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65876", "cvelist": ["CVE-2013-1296"], "lastseen": "2017-10-29T13:44:07"}]}}
