Vulnerabilities > CVE-2007-0328 - Unspecified vulnerability in Macrovision Flexnet Connect and Update Service

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
macrovision
nessus
NVD
Published: 2007-06-01
Updated: 2024-11-21

Summary

The DWUpdateService ActiveX control in the agent (agent.exe) in Macrovision FLEXnet Connect 6.0 and Update Service 3.x to 5.x allows remote attackers to execute arbitrary commands via (1) the Execute method, and obtain the exit status using (2) the GetExitCode method.

Vulnerable Configurations

Part Description Count
Application
Macrovision
4

Nessus

NASL familyWindows
NASL idFLEXNET_CONNECT_DWUPDATESERVICE_ACTIVEX_CMD_EXEC.NASL
descriptionMacrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabled Windows software. The version of FLEXnet Connect on the remote host includes an ActiveX control -- DWUpdateService -- that reportedly allows a remote, unauthenticated attacker to execute arbitrary commands. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to execute arbitrary code on the host subject to the user
last seen2020-06-01
modified2020-06-02
plugin id25371
published2007-06-02
reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/25371
titleMacrovision FLEXnet DWUpdateService ActiveX (agent.exe) Multiple Method Arbitrary Command Execution
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25371);
  script_version("1.19");

  script_cve_id("CVE-2007-0328");
 script_xref(name:"CERT", value:"524681");

  script_name(english:"Macrovision FLEXnet DWUpdateService ActiveX (agent.exe) Multiple Method Arbitrary Command Execution");
  script_summary(english:"Checks version of DWUpdateService ActiveX control");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that allows execution of arbitrary commands." );
 script_set_attribute(attribute:"description", value:
"Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host.  It is a
software management solution for internally-developed and third-party applications, and may have been installed as part
of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabled Windows software.

The version of FLEXnet Connect on the remote host includes an ActiveX control -- DWUpdateService -- that reportedly
allows a remote, unauthenticated attacker to execute arbitrary commands.  If an attacker can trick a user on the
affected host into visiting a specially crafted web page, this issue could be leveraged to execute arbitrary code on
the host subject to the user's privileges.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number." );
 script_set_attribute(attribute:"solution", value:
"Either upgrade to a version of the FLEXnet Connect SDK with installer version 12.0.0.49974 or later; or, disable the
control as described in the US-CERT advisory referenced above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-0328");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/06/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/05/31");
 script_cvs_date("Date: 2019/09/16 11:41:11");

script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:macrovision:flexnet_connect");
script_set_attribute(attribute:"cpe", value:"cpe:/a:macrovision:update_service");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include('global_settings.inc');
include('smb_func.inc');
include('smb_activex_func.inc');


if (!get_kb_item('SMB/Registry/Enumerated')) exit(0);


# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);

clsid = '{551E5190-19C7-4626-9D54-FB20355E6467}';
file = activex_get_filename(clsid:clsid);
if (file)
{
  # Check its version.
  ver = activex_get_fileversion(clsid:clsid);
  if (ver && activex_check_fileversion(clsid:clsid, fix:'6.0.100.60146') == TRUE)
  {
    report = NULL;
    if (report_paranoia > 1)
      report =
        'Version ' + ver + ' of the vulnerable control is installed as :\n' +
        '\n' +
        '  ' + file + '\n' +
        '\n' +
        'Note, though, that Nessus did not check whether the kill bit was\n' +
        'set for the control\'s CLSID because of the Report Paranoia setting\n' +
        'in effect when this scan was run.\n';
    else if (activex_get_killbit(clsid:clsid) == 0)
      report =
        'Version ' + ver + ' of the vulnerable control is installed as :\n' +
        '\n' +
        '  ' + file + '\n' +
        '\n' +
        'Moreover, its kill bit is not set so it is accessible via Internet\n' +
        'Explorer.\n';
    if (report) security_hole(port:kb_smb_transport(), extra:report);
  }
}
activex_end();

References