Vulnerabilities > CVE-2007-3168 - Unspecified vulnerability in Edraw Office Viewer Component 4.0.5.20

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
COMPLETE
network
edraw
nessus
exploit available
NVD
Published: 2007-06-11
Updated: 2017-10-11

Summary

A certain ActiveX control in the EDraw Office Viewer Component (edrawofficeviewer.ocx) 4.0.5.20, and other versions before 5.0, allows remote attackers to delete arbitrary files via the DeleteLocalFile method.

Vulnerable Configurations

Part Description Count
Application
Edraw
2

Exploit-Db

descriptionEDraw Office Viewer Component Unsafe Method Exploit. CVE-2007-3168. Remote exploit for windows platform
fileexploits/windows/remote/4010.html
idEDB-ID:4010
last seen2016-01-31
modified2007-05-30
platformwindows
port
published2007-05-30
reportershinnai
sourcehttps://www.exploit-db.com/download/4010/
titleEDraw Office Viewer Component Unsafe Method Exploit
typeremote

Nessus

NASL familyWindows
NASL idOFFICEVIEWER_ACTIVEX_5.NASL
descriptionThe remote host contains the Office Viewer Component, an ActiveX control for working with Microsoft Office documents. The version of this control installed on the remote host contains a buffer overflow in its
last seen2020-06-01
modified2020-06-02
plugin id26012
published2007-09-10
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/26012
titleOffice Viewer Component < 5.0 Multiple Vulnerabilities
code
#
#  (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description)
{
  script_id(26012);
  script_version("1.11");

  script_cve_id("CVE-2007-3168", "CVE-2007-3169");
  script_bugtraq_id(24229, 24230);
  script_xref(name:"EDB-ID", value:"4009");
  script_xref(name:"EDB-ID", value:"4010");

  script_name(english:"Office Viewer Component < 5.0 Multiple Vulnerabilities");
  script_summary(english:"Checks version of Office Viewer Component ActiveX control"); 
 
 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by
multiple issues." );
 script_set_attribute(attribute:"description", value:
"The remote host contains the Office Viewer Component, an ActiveX
control for working with Microsoft Office documents. 

The version of this control installed on the remote host contains a
buffer overflow in its 'HttpDownloadFile' method that could be
exploited to execute arbitrary code remotely if an attacker can trick
a user on the affected host into visiting a specially crafted web
page. 

In addition, it also allows an attacker to delete arbitrary files via
the 'DeleteLocalFile' method." );
 script_set_attribute(attribute:"see_also", value:"http://moaxb.blogspot.com/2007/05/moaxb-28-edraw-office-viewer-component.html" );
 script_set_attribute(attribute:"see_also", value:"http://moaxb.blogspot.com/2007/05/moaxb-29-edraw-office-viewer-component.html" );
 script_set_attribute(attribute:"see_also", value:"http://www.ocxt.com/archives/28" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to Office Viewer Component version 5 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(119);


 script_set_attribute(attribute:"plugin_publication_date", value: "2007/09/10");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/05/28");
 script_cvs_date("Date: 2018/08/22 16:49:14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("smb_activex_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);

clsid = "{053AFEBA-D968-435F-B557-19FF76372B1B}";
file = activex_get_filename(clsid:clsid);
if (file)
{
  # Check its version.
  ver = activex_get_fileversion(clsid:clsid);
  if (ver && activex_check_fileversion(clsid:clsid, fix:"5.0.0.0") == TRUE)
  {
    report = string(
      "Version ", ver, " of the vulnerable control is installed as :\n",
      "\n",
      "  ", file, "\n"
    );
    security_hole(port:kb_smb_transport(), extra:report);
  }
}
activex_end();

References