Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Consona (formerly SupportSoft) Intelligent Assistance Suite (IAS) cross-site scripting, ActiveX, and Repair Service vulnerabilities
Informations
Name VU#602801 First vendor Publication 2010-05-06
Vendor VU-CERT Last vendor Modification 2010-05-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#602801

Consona (formerly SupportSoft) Intelligent Assistance Suite (IAS) cross-site scripting, ActiveX, and Repair Service vulnerabilities

Overview

Consona (formerly SupportSoft) Intelligent Assistance Suite (IAS) contains a set of vulnerabilities that collectively could allow an attacker to execute arbitrary code on a remote system.

I. Description

In 2009, Consona acquired SupportSoft's enterprise software assets, including web-based assistance software called Intelligent Assistance Suite (IAS). IAS client components are delivered via ActiveX controls, Netscape-style plugins, or standalone installers. IAS runs on Microsoft Windows platforms. Consona products affected by these vulnerabilities include Consona Live Assistance, Consona Dynamic Agent, Consona Subscriber Assistance, Repair Manager, Consona Subscriber Activiation, and Subscriber Agent.

IAS contains vulnerabilities in different components.

  1. Cross-site scripting (XSS) in ns6plugindestructor.asp
  2. Unsafe methods provided by SdcUser.TgConCtl ActiveX control (tgctlcm.dll)
  3. Buffer overflow in SdcUser.TgConCtl ActiveX control (tgctlcm.dll)
  4. Local privilege elevation in Repair Service (tgsrv.exe) (only installed on Windows Vista and Windows 7)
Using several of these vulnerabilities, an attacker can execute arbitrary code on a vulnerable system. For example, the XSS vulnerability can be used to instantiate the SdcUser.TgConCtl control, which then can be used to download and execute arbitrary programs using the unsafe methods provided by the control. The Repair Service can be used to elevate from user (or Low-Rights IE) privileges to SYSTEM.

Further details are available in Rubén Santamarta's slides from Rooted CON 2010.

II. Impact

By convincing a user to view a specially crafted HTML document (web page, HTML email message), an attacker could execute arbitrary code with the privileges of the user, and possibly gain SYSTEM privileges via the Repair Service.

III. Solution

Apply patches

Sites providing IAS/Consona support services should apply the appropriate patches referenced in the April 2010 Security Bulletin.

Remove n6plugindestructor.asp

To remove the initial cross-site scripting vector, sites providing IAS/Consona support services can remove ns6plugindestructor.asp from the support web site. Removing this file is unlikely to reduce functionality, but may have side effects.

Limit domain access to the SdcUser.TgConCtl ActiveX control

SupportSoft ActiveX controls can only be scripted from sites that contain valid license information. Following the guidance in the April 2010 Security Bulletin, sites providing IAS/Consona support services can augment domain access restrictions by listing allowed domains in the Windows registry and hosting controls using HTTPS to reduce the possibility of DNS spoofing attacks.

Disable the SdcUser.TgConCtl ActiveX control in Internet Explorer

Web clients of IAS/Consona support services can disable the vulnerable ActiveX control in Internet Explorer by setting the kill bit for the following CLSID:

    {01113300-3E00-11D2-8470-0060089874ED}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .reg file and imported into the Windows registry:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{01113300-3E00-11D2-8470-0060089874ED}]
    "Compatibility Flags"=dword:00000400
Disabling this control will likely reduce functionality.

Vendor Information

VendorStatusDate NotifiedDate Updated
ConsonaAffected2010-03-262010-05-18

References


http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html
http://www.wintercore.com/downloads/rootedcon_0day.pdf
http://www.rootedcon.es/eng/rooted-con-2010/schedule.html
http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf
http://www.consona.com/news/consonaacquiressupportsoft.aspx
http://www.consona.com/news/SupportSoftClose.aspx
http://www.supportsoft.com/Downloads/PDF/brochures/IAS_for_DSP_2008.pdf
http://support.microsoft.com/kb/240797

Credit

This information is based on research by Rubén Santamarta. Thanks to Rubén and Consona for following responsible vulnerability disclosure practices.

This document was written by Art Manion.

Other Information

Date Public:2010-03-19
Date First Published:2010-05-06
Date Last Updated:2010-05-18
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:15.52
Document Revision:27

Original Source

Url : http://www.kb.cert.org/vuls/id/602801

CWE : Common Weakness Enumeration

% Id Name
22 % CWE-310 Cryptographic Issues
22 % CWE-264 Permissions, Privileges, and Access Controls
11 % CWE-287 Improper Authentication
11 % CWE-200 Information Exposure
11 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
11 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)
11 % CWE-16 Configuration

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Application 1
Application 1
Application 1
Application 1
Application 1

Open Source Vulnerability Database (OSVDB)

Id Description
64669 Consona tgctlcm.dll SdcWebSecureBase Interface pluginlicense.ini ActiveX DNS ...

64668 Consona tgctlcm.dll SdcWebSecureBase Interface Instantiation / Free ActiveX E...

64667 Consona tgctlcm.dll SdcWebSecureBase Interface Site-locking Implementation Ac...

64629 Consona SdcUser.TgConCtl ActiveX (tgctlcm.dll) GetUserName Method Username Di...

64505 Consona SdcUser.TgConCtl ActiveX (tgctlcm.dll) RunCMD Method Overflow

64504 Consona SdcUser.TgConCtl ActiveX (tgctlcm.dll) HTTPDownloadFile Arbitrary Com...

64503 Consona SdcUser.TgConCtl ActiveX (tgctlcm.dll) Install Method Arbitrary Comma...

64502 Consona SdcUser.TgConCtl ActiveX (tgctlcm.dll) RunCmd Method Arbitrary Comman...

64394 Consona CRM Suite Password Hint Unspecified Password Reset Issue

64393 Consona CRM Suite ASP Page URI XSS

64390 Consona CRM Suite Repair Service tgsrv.exe Predictable Timestamp Field Remote...