Vulnerabilities > CVE-2007-0026 - Remote Code Execution vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
nessus
NVD
Published: 2007-02-13
Updated: 2018-10-12

Summary

The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption.

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-011.NASL
descriptionThe remote host contains a version of Microsoft Windows that has a vulnerability in the OLE Dialog component that could be abused by an attacker to execute arbitrary code on the remote host. To exploit this vulnerability, an attacker would need to send a specially crafted RTF file to a user on the remote host and lure him into opening it.
last seen2020-06-01
modified2020-06-02
plugin id24335
published2007-02-13
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/24335
titleMS07-011: Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(24335);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-0026");
 script_bugtraq_id(22483);
 script_xref(name:"MSFT", value:"MS07-011");
 script_xref(name:"MSKB", value:"926436");
 
 script_xref(name:"CERT", value:"497756");

 script_name(english:"MS07-011: Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)");
 script_summary(english:"Determines the presence of update 926436");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the OLE
Dialog component provided with Microsoft Windows.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Windows that has a
vulnerability in the OLE Dialog component that could be abused by an
attacker to execute arbitrary code on the remote host.

To exploit this vulnerability, an attacker would need to send a
specially crafted RTF file to a user on the remote host and lure him
into opening it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-011");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/02/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-011';
kb = "926436";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Oledlg.dll", version:"5.2.3790.2813", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Oledlg.dll", version:"5.2.3790.601", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Oledlg.dll", version:"5.1.2600.3016", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.0", file:"Oledlg.dll", version:"5.0.2195.7114", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2007-04-10T13:44:26.598-04:00
classvulnerability
contributors
nameRobert L. Hollis
organizationThreatGuard, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows XP SP1 (64-bit) is installed
    ovaloval:org.mitre.oval:def:480
  • commentMicrosoft Windows Server 2003 (x86) Gold is installed
    ovaloval:org.mitre.oval:def:165
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
descriptionThe OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption.
familywindows
idoval:org.mitre.oval:def:540
statusaccepted
submitted2007-02-14T09:49:32
titleOLE Dialog Memory Corruption Vulnerability
version70

References