|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com
Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com |
|
|
Home SecurityAlert Database |
|
|
Topic : | Microsoft Agent Crafted URL Stack Buffer Overflow
|
SecurityAlert : 3124
CVE : CVE-2007-3040
SecurityRisk : High (About)
Remote Exploit : Yes
Local Exploit : Yes
Exploit Available : No
Credit : Assurent Secure Technologies
Published : 13.09.2007
Affected Software : | Microsoft Agent, version 2.0.0.3425 |
 Advisory Content : Microsoft Agent Crafted URL Stack Buffer Overflow
Assurent ID: FSC20070911-11
1. Affected Software
Microsoft Agent, version 2.0.0.3425 (bundled with Windows 2000 Service Pack
4)
Reference: http://www.microsoft.com/msagent/
2. Vulnerability Summary
The Microsoft Agent ActiveX control contains a buffer overflow
vulnerability that allows remote attackers to inject and execute arbitrary
code with the privileges of the currently logged in user.
The affected ActiveX control is registered as below:
File: agentdpv.dll
ProgID: Agent.Control
CLASSID: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F
3. Vulnerability Analysis
The target user is enticed to view a malicious web page. The script in the
web page calls a method of the affected ActiveX control with malicious
arguments. A stack-based buffer will be overrun upon processing the
malicious script.
Assurent has confirmed that code execution is possible. The code in such a
case would execute within the security context of the currently logged in
user.
In an attack case where code injection is not successful, the affected
application will terminate abnormally.
Note that although this vulnerability is exploited through Internet
Explorer, the affected application is the Microsoft Agent application.
4. Vulnerability Detection
Assurent has confirmed the vulnerability in Microsoft Agent shipped with
Windows 2000 SP4. The confirmed vulnerable file version is 2.0.0.3425.
Earlier versions may also be affected.
5. Workaround
Setting the kill bit for the vulnerable ActiveX control's CLSID will
prevent this issue from being exploited via Internet Explorer.
6. Vendor Response
Microsoft has released a bulletin addressing this vulnerability as part of
the September 2007 update cycle.
Reference:
http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
7. Disclosure Timeline
04/18/2007 Reported to vendor
04/23/2007 Initial vendor response
09/10/2007 Coordinated public disclosure
8. Credits
Vulnerability Research Team, Assurent Secure Technologies, a TELUS company
9. References
CVE: CVE-2007-3040
Vendor: MS07-051
10. About Assurent VRS
Assurent's Vulnerability Research Service (VRS) for security product
vendors, and Threat Protection Programs (TPP) for MSPs and enterprise
security teams, help to eliminate the significant costs incurred by
security product vendors, MSPs, and enterprise security teams in responding
to and managing critical new security vulnerabilities and other threats
including worm & virus outbreaks and high-risk spyware. The VRS and TPP
services are real-time feeds providing subscribers with detailed analysis
of the top security vulnerabilities, focused on the specific needs of each
group of customers.
http://www.assurent.com/
Feedback :
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
|
|
|
|