Microsoft Agent Crafted URL Stack Buffer Overflow

2007.09.13
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microsoft Agent Crafted URL Stack Buffer Overflow Assurent ID: FSC20070911-11 1. Affected Software Microsoft Agent, version 2.0.0.3425 (bundled with Windows 2000 Service Pack 4) Reference: http://www.microsoft.com/msagent/ 2. Vulnerability Summary The Microsoft Agent ActiveX control contains a buffer overflow vulnerability that allows remote attackers to inject and execute arbitrary code with the privileges of the currently logged in user. The affected ActiveX control is registered as below: File: agentdpv.dll ProgID: Agent.Control CLASSID: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F 3. Vulnerability Analysis The target user is enticed to view a malicious web page. The script in the web page calls a method of the affected ActiveX control with malicious arguments. A stack-based buffer will be overrun upon processing the malicious script. Assurent has confirmed that code execution is possible. The code in such a case would execute within the security context of the currently logged in user. In an attack case where code injection is not successful, the affected application will terminate abnormally. Note that although this vulnerability is exploited through Internet Explorer, the affected application is the Microsoft Agent application. 4. Vulnerability Detection Assurent has confirmed the vulnerability in Microsoft Agent shipped with Windows 2000 SP4. The confirmed vulnerable file version is 2.0.0.3425. Earlier versions may also be affected. 5. Workaround Setting the kill bit for the vulnerable ActiveX control's CLSID will prevent this issue from being exploited via Internet Explorer. 6. Vendor Response Microsoft has released a bulletin addressing this vulnerability as part of the September 2007 update cycle. Reference: http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx 7. Disclosure Timeline 04/18/2007 Reported to vendor 04/23/2007 Initial vendor response 09/10/2007 Coordinated public disclosure 8. Credits Vulnerability Research Team, Assurent Secure Technologies, a TELUS company 9. References CVE: CVE-2007-3040 Vendor: MS07-051 10. About Assurent VRS Assurent's Vulnerability Research Service (VRS) for security product vendors, and Threat Protection Programs (TPP) for MSPs and enterprise security teams, help to eliminate the significant costs incurred by security product vendors, MSPs, and enterprise security teams in responding to and managing critical new security vulnerabilities and other threats including worm & virus outbreaks and high-risk spyware. The VRS and TPP services are real-time feeds providing subscribers with detailed analysis of the top security vulnerabilities, focused on the specific needs of each group of customers. http://www.assurent.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top