Vulnerabilities > CVE-2006-6121 - Remote Code Execution vulnerability in Acer LunchApp.APlunch ActiveX Control
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Acer Notebook LunchApp.APlunch ActiveX control allows remote attackers to execute arbitrary commands by calling the Run method.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Windows NASL id ACER_LUNCHAPP_ACTIVEX_CODE_EXEC.NASL description The remote host contains an ActiveX control from Acer called LunchApp.APlunch that is reportedly shipped with notebook computers from that manufacturer and is marked as last seen 2020-06-01 modified 2020-06-02 plugin id 24012 published 2007-01-12 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24012 title Acer LunchApp.APlunch ActiveX Arbitrary Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(24012); script_version("1.16"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2006-6121"); script_bugtraq_id(21207); script_name(english:"Acer LunchApp.APlunch ActiveX Arbitrary Command Execution"); script_summary(english:"Checks for Acer LunchApp.APlunch ActiveX control"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an ActiveX control that allows arbitrary code execution."); script_set_attribute(attribute:"description", value: "The remote host contains an ActiveX control from Acer called LunchApp.APlunch that is reportedly shipped with notebook computers from that manufacturer and is marked as 'safe for scripting' and 'safe for initializing from persistent data'. By tricking a user on the affected host into visiting a specially crafted web page, an attacker can pass arbitrary commands to the 'Run' method that will be executed on the remote host subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"http://vuln.sg/acerlunchapp-en.html"); script_set_attribute( attribute:"see_also", value:"http://www.acer.com/worldwide/support/#APP" ); script_set_attribute(attribute:"solution", value:"Run the security patch referenced in the vendor advisory above."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/11/19"); script_set_attribute(attribute:"patch_publication_date", value:"2007/01/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); # Connect to the appropriate share. if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); name = kb_smb_name(); port = kb_smb_transport(); #if (!get_port_state(port)) exit(0); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); #soc = open_sock_tcp(port); #if (!soc) exit(0); #session_init(socket:soc, hostname:name); if (!smb_session_init()) exit(0); rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); if (rc != 1) { NetUseDel(); exit(0); } # Connect to remote registry. hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE); if (isnull(hklm)) { NetUseDel(); exit(0); } # Determine if the control is installed. clid = "D9998BD0-7957-11D2-8FED-00606730D3AA"; key = "SOFTWARE\Classes\CLSID\{" + clid + "}\InprocServer32"; key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED); file = NULL; if (!isnull(key_h)) { value = RegQueryValue(handle:key_h, item:NULL); if (!isnull(value)) file = value[1]; RegCloseKey(handle:key_h); } RegCloseKey(handle:hklm); # If it is... if (file) { # Determine the version from the DLL itself. share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:file); ocx = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:file); NetUseDel(close:FALSE); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(0); } # Make sure the control exists. fh = CreateFile( file:ocx, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (!isnull(fh)) { CloseFile(handle:fh); report = string( "\n", "Acer's LunchApp.APlunch ActiveX control is installed as :\n", "\n", " ", file, "\n" ); security_hole(port:port, extra:report); } } # Clean up. NetUseDel();NASL family Windows NASL id ACER_ACERCTRLS_APLUNCH_CMD_EXEC.NASL description The remote host contains an ActiveX control from Acer called last seen 2020-06-01 modified 2020-06-02 plugin id 40666 published 2009-08-21 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40666 title Acer AcerCtrls.APlunch ActiveX Arbitrary Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(40666); script_version("1.15"); script_cvs_date("Date: 2018/06/27 18:42:26"); script_cve_id("CVE-2009-2627"); script_bugtraq_id(36068); script_xref(name:"CERT", value:"485961"); script_xref(name:"Secunia", value:"36343"); script_name(english:"Acer AcerCtrls.APlunch ActiveX Arbitrary Command Execution"); script_summary(english:"Checks for the ActiveX control"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an ActiveX control that allows arbitrary code execution."); script_set_attribute(attribute:"description", value: "The remote host contains an ActiveX control from Acer called 'AcerCtrls.APlunch'. If this control is distributed with the appropriate 'Implemented Categories' registry key, it may be marked as safe for scripting. This would allow a web page in Internet Explorer to call the control's 'Run()' method. A remote attacker could exploit this by tricking a user into visiting a malicious web page that executes arbitrary commands. Please note this vulnerability is similar to, but different from CVE-2006-6121. This control has different parameters and uses a different CLSID."); script_set_attribute(attribute:"solution", value: "No patch is available at this time. Disable this ActiveX control by setting the kill bit for the related CLSID. Refer to the CERT advisory for more information."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2009/08/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("smb_activex_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(1, "The 'SMB/Registry/Enumerated' KB item is missing"); # Locate the file used by the controls. if (activex_init() != ACX_OK) exit(1, "activex_init() failed."); clsid = "{3895DD35-7573-11D2-8FED-00606730D3AA}"; file = activex_get_filename(clsid:clsid); if (!file) { activex_end(); if (isnull(file)) exit(1, "activex_get_filename() returned NULL."); else exit(0, "The AcerCtrls.APlunch control is not installed."); } # Acer hasn't released a patch yet. All we can do for now is check to see # if the kill bit is set. if (activex_get_killbit(clsid:clsid) == 0) { if (report_verbosity > 0) { version = activex_get_fileversion(clsid:clsid); if (!version) version = "Unknown"; report = string( "\n", "The kill bit is not set for the following control :\n\n", " Class Identifier : ", clsid, "\n", " Filename : ", file, "\n", " Version : ", version, "\n" ); security_hole(port:kb_smb_transport(), extra:report); } else security_hole(port:kb_smb_transport()); exit (0); } else exit(0, "The system is not affected.");
References
- ftp://ftp.support.acer-euro.com/utilities/LaunchAppFix/AcerLAppFix.zip
- http://global.acer.com/support/patch20070101.htm
- http://secunia.com/advisories/23003
- http://vuln.sg/acerlunchapp-en.html
- http://www.f-secure.com/weblog/archives/archive-012007.html#00001073
- http://www.kb.cert.org/vuls/id/221700
- http://www.securityfocus.com/archive/1/468871/100/200/threaded
- http://www.securityfocus.com/bid/21207
- http://www.us-cert.gov/cas/techalerts/TA07-128A.html
- http://www.vupen.com/english/advisories/2006/4602
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-027
- https://exchange.xforce.ibmcloud.com/vulnerabilities/30417