CVE-2006-3423
CVSS9.3
发布时间 :2006-07-06 20:05:00
修订时间 :2011-03-10 00:00:00
NMCOPS    

[原文]WebEx Downloader ActiveX Control and WebEx Downloader Java before 2.1.0.0 do not validate downloaded components, which allows remote attackers to execute arbitrary code via a website that activates the GpcUrlRoot and GpcIniFileName ActiveX controls to cause the client to download a DLL file.


[CNNVD]WebEx Downloader插件GpcUrlRoot和GpcIniFileName ActiveX/Java控件远程代码执行漏洞(CNNVD-200607-068)

        WebEx是全球最大的网络通信服务供应商,可提供电信级网络会议解决方案。
        WebEx在处理组件下载操作时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意命令。
        WebEx在召开或加入网络会议时需要使用Downloader插件来下载一些额外的组件。在下载时由于对各种ActiveX/Java控件参数和配置指令缺少验证,GpcUrlRoot和GpcIniFileName ActiveX/Java控件参数可能允许攻击者指定包含有其他控制指令的配置文件位置,允许攻击者向目标传送任意文件和可执行程序,进而完全入侵系统。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/a:webex_communications:downloader_activexcontrol:2.0.0.7
cpe:/a:webex_communications:downloader_java:2.0.0.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3423
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3423
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-068
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/20956
(VENDOR_ADVISORY)  SECUNIA  20956
http://xforce.iss.net/xforce/xfdb/24370
(UNKNOWN)  XF  web-conferencing-code-injection(24370)
http://xforce.iss.net/xforce/alerts/id/226
(UNKNOWN)  ISS  20060706 WebEx ActiveX Control DLL Injection
http://www.zerodayinitiative.com/advisories/ZDI-06-021.html
(VENDOR_ADVISORY)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-06-021.html
http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456
(UNKNOWN)  CONFIRM  http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456
http://www.vupen.com/english/advisories/2006/2688
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2688
http://www.securityfocus.com/bid/18860
(UNKNOWN)  BID  18860
http://www.securityfocus.com/archive/1/archive/1/439496/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060707 ZDI-06-021: WebEx Downloader Plug-in Code Execution Vulnerability
http://www.osvdb.org/27040
(UNKNOWN)  OSVDB  27040
http://www.osvdb.org/27039
(UNKNOWN)  OSVDB  27039
http://securitytracker.com/id?1016446
(UNKNOWN)  SECTRACK  1016446

- 漏洞信息

WebEx Downloader插件GpcUrlRoot和GpcIniFileName ActiveX/Java控件远程代码执行漏洞
高危 设计错误
2006-07-06 00:00:00 2007-06-13 00:00:00
远程  
        WebEx是全球最大的网络通信服务供应商,可提供电信级网络会议解决方案。
        WebEx在处理组件下载操作时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意命令。
        WebEx在召开或加入网络会议时需要使用Downloader插件来下载一些额外的组件。在下载时由于对各种ActiveX/Java控件参数和配置指令缺少验证,GpcUrlRoot和GpcIniFileName ActiveX/Java控件参数可能允许攻击者指定包含有其他控制指令的配置文件位置,允许攻击者向目标传送任意文件和可执行程序,进而完全入侵系统。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.webex.com/go/downloadSP30

- 漏洞信息 (F48089)

Zero Day Initiative Advisory 06-021 (PacketStormID:F48089)
2006-07-09 00:00:00
Tipping Point  zerodayinitiative.com
advisory,java,arbitrary,activex
CVE-2006-3423
[点击下载]

The WebEx Downloader Plug-in suffers from a flaw that exists due to the lack of input validation on various ActiveX/Java control parameters and configuration directives. The "GpcUrlRoot" and "GpcIniFileName" ActiveX/Java control parameters allow an attacker to specify the location of a configuration file containing further control directives. This allows an attacker to transfer arbitrary files and executables to the target. The attacker can then leverage available configuration directives to execute the newly created executables thereby compromising the underlying system.

ZDI-06-021: WebEx Downloader Plug-in Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-021.html
July  6, 2006

-- CVE ID:
CVE-2006-3423

-- Affected Vendor:
WebEx Communications

-- Affected Products:
WebEx Downloader Plug-in (tested on v2.0.0.7)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since April  3, 2006 by Digital Vaccine protection
filter ID 4274. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows attackers to execute arbitrary code on
vulnerable installations of the WebEx Downloader Plug-in. Successful
exploitation requires that the target user browse to a malicious web
page.

The specific flaws exists due to the lack of input validation on
various ActiveX/Java control parameters and configuration directives.
The "GpcUrlRoot" and "GpcIniFileName" ActiveX/Java control parameters
allow an attacker to specify the location of a configuration file
containing further control directives. This allows an attacker to
transfer arbitrary files and executables to the target. The attacker
can then leverage available configuration directives to execute the
newly created executables thereby compromising the underlying system.

-- Vendor Response:
WebEx has addressed this issue in the latest release of the Downloader
plug-in. More informaton is available from the vendor advisory
(#WEBX-06-1-1) at:

http://www.webex.com/lp/security/ActiveAdv.html?TrackID=123456

-- Disclosure Timeline:
2006.04.03 - Digital Vaccine released to TippingPoint customers
2006.04.11 - Vulnerability reported to vendor
2006.07.06 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by an anonymous researcher.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.

    

- 漏洞信息

27039
WebEx Downloader Plug-in ActiveX/Java Source Subversion Arbitrary Program Execution
Remote / Network Access, Context Dependent Input Manipulation
Impact Unknown
Exploit Public, Exploit Private Vendor Verified

- 漏洞描述

WebEx Downloader plug-in contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the ActiveX control installed by WebEx not properly sanitizing user input supplied to the the "GpcUrlRoot" and "GpcIniFileName" variables. This may allow an attacker to include a DLL file from a remote host that contains arbitrary commands which will be executed by the vulnerable object under the security context of the user viewing the web page.

- 时间线

2006-07-06 Unknow
Unknow Unknow

- 解决方案

Upgrade to version SP30 (See Vendor Solution URL) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

WebEx ActiveX Multiple Remote Code Execution Vulnerabilities
Design Error 18860
Yes No
2006-07-06 12:00:00 2007-10-04 04:38:00
David Dewey and Mark Dowd of ISS X-Force is credited with the discovery of this vulnerability.

- 受影响的程序版本

WebEx WebEx ActiveX Control 2.0.0.7
WebEx WebEx ActiveX Control 2.1 0

- 不受影响的程序版本

WebEx WebEx ActiveX Control 2.1 0

- 漏洞讨论

WebEx ActiveX control is prone to multiple remote code-execution vulnerabilities.

An attacker could exploit these issues by creating a malicious web page that would initialize the WebEx ActiveX control, and then download and initialize malicious DLL files.

Exploiting this issue could allow an attacker to execute arbitrary code.

WebEx 2.0.0.7 and prior versions are affected.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released a fix to resolve this issue.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站