Executive Summary
Summary | |
---|---|
Title | Microsoft Office Snapshot Viewer ActiveX control race condition |
Informations | |||
---|---|---|---|
Name | VU#837785 | First vendor Publication | 2008-07-07 |
Vendor | VU-CERT | Last vendor Modification | 2008-08-12 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#837785Microsoft Office Snapshot Viewer ActiveX control race conditionOverviewThe Microsoft Office Snapshot Viewer ActiveX control contains a race condition, which can allow a remote, unauthenticated attacker to download arbitrary files to arbitrary locations.I. DescriptionMicrosoft Snapshot Viewer is a viewer for snapshots created with Microsoft Access. Snapshot Viewer is available as an ActiveX control, which is provided by snapview.ocx, or as a stand-alone application. Snapshot Viewer is provided with Office 2000, Office XP, and Office 2003, and it may also be installed on a system that does not have Microsoft Office. By design, the Snapshot Viewer ActiveX control can download a specified file to a temporary location, giving it a temporary name. However, a race condition in the control can allow an attacker to download files to arbitrary locations with arbitrary file names.We have received reports of active exploitation of this vulnerability. Exploit code for this vulnerability is publicly available. This issue is addressed in Microsoft Security Bulletin MS08-041.
{F0E42D60-368C-11D0-AD81-00A0C90DC8D9} {F2175210-368C-11D0-AD81-00A0C90DC8D9}
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}] "Compatibility Flags"=dword:00000400 [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{F2175210-368C-11D0-AD81-00A0C90DC8D9}] "Compatibility Flags"=dword:00000400 Upgrading Internet Explorer to version 7 or later may help mitigate this vulnerability through its ActiveX opt-in feature. This feature is designed to prompt the user before using ActiveX controls that are already installed on the system. Do not run Windows with administrator privileges Running Windows using an unprivileged regular user account may mitigate the affects of this vulnerability. See the Microsoft Technet article Applying the Principle of Least Privilege to User Accounts on Windows XP for more information. This can prevent an attacker from being able to download files to the Startup folder for "All Users." Disable ActiveX Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document. Systems Affected
References
This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/837785 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:6120 | |||
Oval ID: | oval:org.mitre.oval:def:6120 | ||
Title: | Snapshot Viewer Arbitrary File Download Vulnerability | ||
Description: | The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-2463 | Version: | 6 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | Microsoft Access 2000 Microsoft Access 2002 Microsoft Access 2003 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 |
SAINT Exploits
Description | Link |
---|---|
Microsoft Access Snapshot Viewer file download vulnerability | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2008-08-19 | Name : Microsoft Access Snapshot Viewer ActiveX Control Vulnerability File : nvt/secpod_ms_access_snapshot_viewer_actvx_vuln_900004.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
46749 | Microsoft Access Snapshot Viewer ActiveX (snapview.ocx) PrintSnapshot Method ... A code execution flaw exists in Office. The Access Snapshot Viewer ActiveX control fails to validated unspecified content when saving files resulting in a code execution. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2008-08-14 | IAVM : 2008-A-0056 - Microsoft Office Access Snapshot Viewer ActiveX Control Vulnerability Severity : Category I - VMSKEY : V0016740 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Snapshot Viewer General Property Page Object ActiveX clsid unicode access RuleID : 7982 - Revision : 11 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 7981 - Revision : 19 - Type : BROWSER-PLUGINS |
2017-08-23 | Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 43606 - Revision : 3 - Type : BROWSER-PLUGINS |
2017-08-23 | Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 43605 - Revision : 2 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX function call access RuleID : 27793 - Revision : 3 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 27792 - Revision : 4 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27791 - Revision : 4 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27790 - Revision : 4 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 27789 - Revision : 4 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX function call access RuleID : 27788 - Revision : 3 - Type : BROWSER-PLUGINS |
2014-01-10 | Eleanore exploit kit post-exploit page request RuleID : 21071 - Revision : 5 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit pdf exploit page request RuleID : 21070 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit exploit fetch request RuleID : 21069 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Eleanore exploit kit landing page RuleID : 21068 - Revision : 4 - Type : EXPLOIT-KIT |
2014-01-10 | Microsoft Access Snapshot Viewer 2 ActiveX function call unicode access RuleID : 13910 - Revision : 7 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer 2 ActiveX function call access RuleID : 13909 - Revision : 7 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer 2 ActiveX clsid unicode access RuleID : 13908 - Revision : 8 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 13907 - Revision : 15 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer 1 ActiveX function call unicode access RuleID : 13906 - Revision : 9 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX function call access attempt RuleID : 13905 - Revision : 18 - Type : BROWSER-PLUGINS |
2014-01-10 | Microsoft Access Snapshot Viewer 1 ActiveX clsid unicode access RuleID : 13904 - Revision : 8 - Type : WEB-ACTIVEX |
2014-01-10 | Microsoft Access Snapshot Viewer ActiveX clsid access attempt RuleID : 13903 - Revision : 15 - Type : BROWSER-PLUGINS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-08-13 | Name : Arbitrary code can be executed on the remote host through the web client. File : smb_nt_ms08-041.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2015-04-15 13:28:39 |
|