On Mon, Jan 16, 2012 at 4:33 AM, Emanuel Rietveld <[email protected]> wrote: > I might be missing something, but if exploitation of this vulnerability > requires the ability to instantiate the activeX control and calling a > method, how is this a vulnerability? > > If the user allows arbitrary activeX controls to instantiate and allows > scripting access, one could simply instantiate WScript.Shell and call > WScript.Shell.Exec(). The control MyCioScan.Scan is not marked safe by > default on my system, and attempting to instantiate it gives exactly the > same security prompts as trying to instantiate WScript.Shell. What happens under a bad-case scenario when the bad guy controls the computer and allows it to run? Perhaps he/she gets access to the computer when the receptionists ask the attacker to sign in for a meeting, or there's an extra terminal in a conference room, etc.
> On 01/12/2012 07:58 PM, ZDI Disclosures wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> ZDI-12-012 : (0Day) McAfee SaaS myCIOScn.dll ShowReport Method Remote >> Command Execution >> http://www.zerodayinitiative.com/advisories/ZDI-12-012 >> January 12, 2012 >> >> - -- CVE ID: >> >> >> - -- CVSS: >> 9, AV:N/AC:L/Au:N/C:P/I:P/A:C >> >> - -- Affected Vendors: >> >> McAfee >> >> >> >> - -- Affected Products: >> >> McAfee Security-as-a-Service >> >> >> >> - -- TippingPoint(TM) IPS Customer Protection: >> TippingPoint IPS customers have been protected against this >> vulnerability by Digital Vaccine protection filter ID 11710. >> For further product information on the TippingPoint IPS, visit: >> >> http://www.tippingpoint.com >> >> - -- Vulnerability Details: >> This vulnerability allows remote attackers to execute arbitrary code on >> vulnerable installations of McAfee Security-as-a-Service. User >> interaction is required to exploit this vulnerability in that the target >> must visit a malicious page or open a malicious file. >> >> The specific flaws exists within myCIOScn.dll. >> MyCioScan.Scan.ShowReport() will accept commands that are passed to a >> function that simply executes them without authentication. This can be >> leveraged by a malicious attacker to execute arbitrary code within the >> context of the browser. >> >> - -- Vendor Response: >> >> >> >> - -- Mitigation: >> The killbit can be set on this control to disable scripting within >> Internet Explorer by modifying the data value of the Compatibilty Flags >> DWORD within the following location in the registry: >> >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX >> Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 >> >> If the Compatibility Flags value is set to 0x00000400 the control can no >> longer be instantiated inside the browser. For more information, please >> see: http://support.microsoft.com/kb/240797 >> >> >> - -- Disclosure Timeline: >> 2011-04-01 - Vulnerability reported to vendor >> >> 2012-01-12 - 0Day advisory released in accordance with the ZDI 180 day >> deadline policy >> >> >> >> - -- Credit: >> This vulnerability was discovered by: >> >> * Andrea Micalizzi aka rgod >> >> >> >> - -- About the Zero Day Initiative (ZDI): >> Established by TippingPoint, The Zero Day Initiative (ZDI) represents >> a best-of-breed model for rewarding security researchers for responsibly >> disclosing discovered vulnerabilities. >> >> Researchers interested in getting paid for their security research >> through the ZDI can find more information and sign-up at: >> >> http://www.zerodayinitiative.com >> >> The ZDI is unique in how the acquired vulnerability information is >> used. TippingPoint does not re-sell the vulnerability details or any >> exploit code. Instead, upon notifying the affected product vendor, >> TippingPoint provides its customers with zero day protection through >> its intrusion prevention technology. Explicit details regarding the >> specifics of the vulnerability are not exposed to any parties until >> an official vendor patch is publicly available. Furthermore, with the >> altruistic aim of helping to secure a broader user base, TippingPoint >> provides this vulnerability information confidentially to security >> vendors (including competitors) who have a vulnerability protection or >> mitigation product. >> >> Our vulnerability disclosure policy is available online at: >> >> http://www.zerodayinitiative.com/advisories/disclosure_policy/ >> >> Follow the ZDI on Twitter: >> >> http://twitter.com/thezdi >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.17 (MingW32) >> >> iQEcBAEBAgAGBQJPDy1iAAoJEFVtgMGTo1sc1NsIALRdu4rAi5JGNXA65mVWe5J5 >> 9hOkq0X7rXKQtBOF+3bQZUGl0LaM5GwRVY+PxZ56PBArPRwjC7pcXrXOKHYQjcCn >> /w5YjiL/wAhjGkjbpmyUaVrsFu5klazt1jj315NvEH6cNS7uTWuhJo+hQki1o9wA >> SLlg8De1EiQDQ0UDUT9oAknnyKJFiye3tCWQqAiEOi0sxTxNsf/Qhwdk9gjPTjz8 >> iPkiN+A+TCpdHNmhvCykW5/sB2M8BJVGKUGTgnbCvCzEfdf2kXhsutIj7WQ3kmlR >> qwwOd6f//q1ogn3ggif1d+wn64as+5pm88un0a5H+QGhJPBT1vMk1bLp80Pyggg= >> =ldZO >> -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
