Vulnerabilities > CVE-2006-6121 - Unspecified vulnerability in Acer Lunchapp.Aplunch

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
acer
nessus

Summary

Acer Notebook LunchApp.APlunch ActiveX control allows remote attackers to execute arbitrary commands by calling the Run method.

Vulnerable Configurations

Part Description Count
Application
Acer
1

Nessus

  • NASL familyWindows
    NASL idACER_LUNCHAPP_ACTIVEX_CODE_EXEC.NASL
    descriptionThe remote host contains an ActiveX control from Acer called LunchApp.APlunch that is reportedly shipped with notebook computers from that manufacturer and is marked as
    last seen2020-06-01
    modified2020-06-02
    plugin id24012
    published2007-01-12
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24012
    titleAcer LunchApp.APlunch ActiveX Arbitrary Command Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(24012);
      script_version("1.16");
     script_cvs_date("Date: 2018/11/15 20:50:26");
    
      script_cve_id("CVE-2006-6121");
      script_bugtraq_id(21207);
    
      script_name(english:"Acer LunchApp.APlunch ActiveX Arbitrary Command Execution");
      script_summary(english:"Checks for Acer LunchApp.APlunch ActiveX control");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has an ActiveX control that allows arbitrary
    code execution.");
      script_set_attribute(attribute:"description", value:
    "The remote host contains an ActiveX control from Acer called
    LunchApp.APlunch that is reportedly shipped with notebook computers
    from that manufacturer and is marked as 'safe for scripting' and 'safe
    for initializing from persistent data'. By tricking a user on the
    affected host into visiting a specially crafted web page, an attacker
    can pass arbitrary commands to the 'Run' method that will be executed
    on the remote host subject to the user's privileges.");
      script_set_attribute(attribute:"see_also", value:"http://vuln.sg/acerlunchapp-en.html");
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.acer.com/worldwide/support/#APP"
      );
      script_set_attribute(attribute:"solution", value:"Run the security patch referenced in the vendor advisory above.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2007/01/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    
    include("smb_func.inc");
    
    
    # Connect to the appropriate share.
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
    name    =  kb_smb_name();
    port    =  kb_smb_transport();
    #if (!get_port_state(port)) exit(0);
    login   =  kb_smb_login();
    pass    =  kb_smb_password();
    domain  =  kb_smb_domain();
    
    #soc = open_sock_tcp(port);
    #if (!soc) exit(0);
    
    #session_init(socket:soc, hostname:name);
    
    if (!smb_session_init()) exit(0);
    
    
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
    if (rc != 1)
    {
      NetUseDel();
      exit(0);
    }
    
    
    # Connect to remote registry.
    hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
    if (isnull(hklm))
    {
      NetUseDel();
      exit(0);
    }
    
    
    # Determine if the control is installed.
    clid = "D9998BD0-7957-11D2-8FED-00606730D3AA";
    key = "SOFTWARE\Classes\CLSID\{" + clid +  "}\InprocServer32";
    key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
    file = NULL;
    if (!isnull(key_h))
    {
      value = RegQueryValue(handle:key_h, item:NULL);
      if (!isnull(value)) file = value[1];
    
      RegCloseKey(handle:key_h);
    }
    RegCloseKey(handle:hklm);
    
    
    # If it is...
    if (file)
    {
      # Determine the version from the DLL itself.
      share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:file);
      ocx =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:file);
      NetUseDel(close:FALSE);
    
      rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
      if (rc != 1)
      {
        NetUseDel();
        exit(0);
      }
    
      # Make sure the control exists.
      fh = CreateFile(
        file:ocx,
        desired_access:GENERIC_READ,
        file_attributes:FILE_ATTRIBUTE_NORMAL,
        share_mode:FILE_SHARE_READ,
        create_disposition:OPEN_EXISTING
      );
      if (!isnull(fh))
      {
        CloseFile(handle:fh);
        report = string(
          "\n",
          "Acer's LunchApp.APlunch ActiveX control is installed as :\n",
          "\n",
          "  ", file, "\n"
        );
        security_hole(port:port, extra:report);
      }
    }
    
    
    # Clean up.
    NetUseDel();
    
  • NASL familyWindows
    NASL idACER_ACERCTRLS_APLUNCH_CMD_EXEC.NASL
    descriptionThe remote host contains an ActiveX control from Acer called
    last seen2020-06-01
    modified2020-06-02
    plugin id40666
    published2009-08-21
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40666
    titleAcer AcerCtrls.APlunch ActiveX Arbitrary Command Execution
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40666);
      script_version("1.15");
      script_cvs_date("Date: 2018/06/27 18:42:26");
    
      script_cve_id("CVE-2009-2627");
      script_bugtraq_id(36068);
      script_xref(name:"CERT", value:"485961");
      script_xref(name:"Secunia", value:"36343");
    
      script_name(english:"Acer AcerCtrls.APlunch ActiveX Arbitrary Command Execution");
      script_summary(english:"Checks for the ActiveX control");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has an ActiveX control that allows arbitrary
    code execution.");
      script_set_attribute(attribute:"description", value:
    "The remote host contains an ActiveX control from Acer called
    'AcerCtrls.APlunch'.  If this control is distributed with the
    appropriate 'Implemented Categories' registry key, it may be marked as
    safe for scripting.  This would allow a web page in Internet Explorer to
    call the control's 'Run()' method.  A remote attacker could exploit this
    by tricking a user into visiting a malicious web page that executes
    arbitrary commands. 
    
    Please note this vulnerability is similar to, but different from
    CVE-2006-6121.  This control has different parameters and uses a
    different CLSID.");
      script_set_attribute(attribute:"solution", value:
    "No patch is available at this time.  Disable this ActiveX control by
    setting the kill bit for the related CLSID.  Refer to the CERT advisory
    for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(94);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("smb_func.inc");
    include("smb_activex_func.inc");
    
    
    if (!get_kb_item("SMB/Registry/Enumerated"))
      exit(1, "The 'SMB/Registry/Enumerated' KB item is missing");
    
    # Locate the file used by the controls.
    if (activex_init() != ACX_OK)
       exit(1, "activex_init() failed.");
    
    clsid = "{3895DD35-7573-11D2-8FED-00606730D3AA}";
    file = activex_get_filename(clsid:clsid);
    if (!file)
    {
      activex_end();
      if (isnull(file)) exit(1, "activex_get_filename() returned NULL.");
      else exit(0, "The AcerCtrls.APlunch control is not installed.");
    }
    
    # Acer hasn't released a patch yet.  All we can do for now is check to see
    # if the kill bit is set.
    if (activex_get_killbit(clsid:clsid) == 0)
    {
      if (report_verbosity > 0)
      {
        version = activex_get_fileversion(clsid:clsid);
        if (!version) version = "Unknown";
    
        report = string(
          "\n",
          "The kill bit is not set for the following control :\n\n",
          "  Class Identifier : ", clsid, "\n",
          "  Filename         : ", file, "\n",
          "  Version          : ", version, "\n"
        );
    
        security_hole(port:kb_smb_transport(), extra:report);
      }
      else security_hole(port:kb_smb_transport());
      
      exit (0);
    }
    else exit(0, "The system is not affected.");