Vulnerabilities > CVE-2007-5605 - Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Buffer overflow in the GetFileTime function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long argument, a different vulnerability than CVE-2007-5604, CVE-2007-5606, and CVE-2007-5607.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Windows NASL id SMB_KB_953839.NASL description The remote host is missing a list of kill bits for ActiveX controls that are known to contain vulnerabilities. If these ActiveX controls are ever installed on the remote host, either now or in the future, they would expose it to various security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 33881 published 2008-08-13 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33881 title MS KB953839: Cumulative Security Update of ActiveX Kill Bits code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33881); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2007-5605", "CVE-2007-5606"); script_bugtraq_id(27539, 29531, 29532, 30548); script_xref(name:"MSKB", value:"953839"); script_name(english:"MS KB953839: Cumulative Security Update of ActiveX Kill Bits"); script_summary(english:"Determines if the newest kill bits are set"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is missing a security update containing ActiveX kill bits."); script_set_attribute(attribute:"description", value: "The remote host is missing a list of kill bits for ActiveX controls that are known to contain vulnerabilities. If these ActiveX controls are ever installed on the remote host, either now or in the future, they would expose it to various security issues."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/953839"); script_set_attribute(attribute:"solution", value: "Microsoft has released an advisory for KB953839."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_activex_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The 'SMB/Registry/Enumerated' KB item is missing."); if (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:2) <= 0) exit(0, "The host is not affected based on its version / service pack."); if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected."); if (activex_init() != ACX_OK) exit(1, "Unable to initialize the ActiveX API."); # Test each control. info = ""; clsids = make_list( "{B60770C2-0390-41A8-A8DE-61889888D840}", "{44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9}", "{76EE578D-314B-4755-8365-6E1722C001A2}", "{F89EF74A-956B-4BD3-A066-4F23DF891982}", "{101D2283-EED9-4BA2-8F3F-23DB860946EB}", "{69C462E1-CD41-49E3-9EC2-D305155718C1}", "{41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA}", "{108092BF-B7DB-40D1-B7FB-F55922FCC9BE}", "{CF08D263-B832-42DB-8950-F40C9E672E27}", "{F1F51698-7B63-4394-8743-1F4CF1853DE1}", "{905BF7D7-6BC1-445A-BE53-9478AC096BEB}", "{916063A5-0098-4FB7-8717-1B2C62DD4E45}", "{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}", "{AE6C4705-0F11-4ACB-BDD4-37F138BEF289}", "{FA8932FF-E064-4378-901C-69CB94E3A20A}", "{3604EC19-E009-4DCB-ABC5-BB95BF92FD8B}", "{65FB3073-CA8E-42A1-9A9A-2F826D05A843}", "{7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3}", "{9BAFC7B3-F318-4BD4-BABB-6E403272615A}", "{05CDEE1D-D109-4992-B72B-6D4F5E2AB731}", "{977315A5-C0DB-4EFD-89C2-10AA86CA39A5}", "{1E0D3332-7441-44FF-A225-AF48E977D8B6}", "{B85537E9-2D9C-400A-BC92-B04F4D9FF17D}", "{2C2DE2E6-2AD1-4301-A6A7-DF364858EF01}", "{0270E604-387F-48ED-BB6D-AA51F51D6FC3}", "{FC28B75F-F9F6-4C92-AF91-14A3A51C49FB}", "{86C2B477-5382-4A09-8CA3-E63B1158A377}", "{8CC18E3F-4E2B-4D27-840E-CB2F99A3A003}", "{68BBCA71-E1F6-47B2-87D3-369E1349D990}", "{8DBC7A04-B478-41D5-BE05-5545D565B59C}", "{D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6}", "{6CA73E8B-B584-4533-A405-3D6F9C012B56}", "{6E5E167B-1566-4316-B27F-0DDAB3484CF7}", "{A7866636-ED52-4722-82A9-6BAABEFDBF96}", "{B0A08D67-9464-4E73-A549-2CC208AC60D3}", "{3D6A1A85-DE54-4768-9951-053B3B02B9B0}", "{947F2947-2296-42FE-92E6-E2E03519B895}", "{47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB}", "{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}", "{926618A9-4035-4CD6-8240-64C58EB37B07}", "{B95B52E9-B839-4412-96EB-4DABAB2E4E24}", "{CB05A177-1069-4A7A-AB0A-5E6E00DCDB76}", "{A233E654-53FF-43AA-B1E2-60DA2E89A1EC}", "{6981B978-70D9-40B9-B00E-903B6FC8CA8A}", "{C86EE68A-9C77-4441-BD35-14CC6CC4A189}", "{2875E7A5-EE3C-4FE7-A23E-DE0529D12028}", "{66E07EF9-4E89-4284-9632-6D6904B77732}", "{00D46195-B634-4C41-B53B-5093527FB791}", "{497EE41C-CE06-4DD4-8308-6C730713C646}", "{7A12547F-B772-4F2D-BE36-CE5D0FA886A1}", "{0B9C0C26-728C-4FDA-B8DD-59806E20E4D9}", "{F399F5B6-3C63-4674-B0FF-E94328B1947D}", "{8C7A23D9-2A9B-4AEA-BA91-3003A316B44D}", "{E6127E3B-8D17-4BEA-A039-8BB9D0D105A2}", "{A3796166-A03C-418A-AF3A-060115D4E478}", "{73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A}", "{93C5524B-97AE-491E-8EB7-2A3AD964F926}", "{833E62AD-1655-499F-908E-62DCA1EB2EC6}", "{285CAE3C-F16A-4A84-9A80-FF23D6E56D68}", "{AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B}", "{4614C49A-0B7D-4E0D-A877-38CCCFE7D589}", "{974E1D88-BADF-4C80-8594-A59039C992EA}", "{692898BE-C7CC-4CB3-A45C-66508B7E2C33}", "{F6A7FF1B-9951-4CBE-B197-EA554D6DF40D}", "{038F6F55-C9F0-4601-8740-98EF1CA9DF9A}", "{652623DC-2BB4-4C1C-ADFB-57A218F1A5EE}", "{BA162249-F2C5-4851-8ADC-FC58CB424243}", "{9275A865-754B-4EDF-B828-FED0F8D344FC}", "{6C095616-6064-43ca-9180-CF1B6B6A0BE4}", "{E1A26BBF-26C0-401d-B82B-5C4CC67457E0}", "{A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98}", "{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}", "{E4C97925-C194-4551-8831-EABBD0280885}", "{CC7DA087-B7F4-4829-B038-DA01DFB5D879}", "{14C1B87C-3342-445F-9B5E-365FF330A3AC}", "{60178279-6D62-43af-A336-77925651A4C6}", "{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}", "{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}", "{93441C07-E57E-4086-B912-F323D741A9D8}", "{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8}", "{CF6866F9-B67C-4B24-9957-F91E91E788DC}", "{A95845D8-8463-4605-B5FB-4F8CFBAC5C47}", "{B9C13CD0-5A97-4C6B-8A50-7638020E2462}", "{C70D0641-DDE1-4FD7-A4D4-DA187B80741D}", "{DE233AFF-8BD5-457E-B7F0-702DBEA5A828}", "{AB049B11-607B-46C8-BBF7-F4D6AF301046}", "{910E7ADE-7F75-402D-A4A6-BB1A82362FCA}", "{42C68651-1700-4750-A81F-A1F5110E0F66}", "{BF931895-AF82-467A-8819-917C6EE2D1F3}", "{4774922A-8983-4ECC-94FD-7235F06F53A1}", "{E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0}", "{C94188F6-0F9F-46B3-8B78-D71907BD8B77}", "{6470DE80-1635-4B5D-93A3-3701CE148A79}", "{17E67D4A-23A1-40D8-A049-EE34C0AF756A}", "{AB237044-8A3B-42BB-9EE1-9BFA6721D9ED}", "{784F2933-6BDD-4E5F-B1BA-A8D99B603649}" ); foreach clsid (clsids) { if (activex_get_killbit(clsid:clsid) == 0) { info += ' ' + clsid + '\n'; if (!thorough_tests) break; } } activex_end(); if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s"; else s = ""; report = string( "\n", "The kill bit has not been set for the following control", s, " :\n", "\n", info ); if (!thorough_tests) { report = string( report, "\n", "Note that Nessus did not check whether there were other kill bits\n", "that have not been set because the 'Perofrm thorough tests' setting\n", "was not enabled when this scan was run.\n" ); } security_warning(port:kb_smb_transport(), extra:report); } else security_warning(kb_smb_transport()); }
NASL family Windows NASL id HPISDATAMANAGER_ACTIVEX_1_0_0_24.NASL description The remote host contains several ActiveX controls in HP Instant Support HPISDataManager.dll, a web-based diagnostic tool from Hewlett-Packard. The version of the controls installed on the remote host reportedly are affected by several issues. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, this method could be used to execute arbitrary code by means of buffer overflows or to execute delete, download, and write to arbitrary files on the affected system, all subject to the user last seen 2020-06-01 modified 2020-06-02 plugin id 33095 published 2008-06-05 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/33095 title HP Instant Support HPISDataManager.dll ActiveX Control < 1.0.0.24 Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(33095); script_version("1.18"); script_cve_id( "CVE-2007-5604", "CVE-2007-5605", "CVE-2007-5606", "CVE-2007-5607", "CVE-2007-5608", "CVE-2007-5610", "CVE-2008-0952", "CVE-2008-0953" ); script_bugtraq_id( 29529, 29530, 29531, 29532, 29533, 29534, 29535, 29536 ); script_xref(name:"Secunia", value:"30516"); script_name(english:"HP Instant Support HPISDataManager.dll ActiveX Control < 1.0.0.24 Vulnerabilities"); script_summary(english:"Checks version of HPISDataManager.dll control"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has several ActiveX controls that are affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host contains several ActiveX controls in HP Instant Support HPISDataManager.dll, a web-based diagnostic tool from Hewlett-Packard. The version of the controls installed on the remote host reportedly are affected by several issues. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, this method could be used to execute arbitrary code by means of buffer overflows or to execute delete, download, and write to arbitrary files on the affected system, all subject to the user's privileges." ); script_set_attribute(attribute:"see_also", value:"http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/29" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/26" ); script_set_attribute(attribute:"solution", value: "Upgrade to HP Instant Support version 1.0.0.24 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(94); script_set_attribute(attribute:"plugin_publication_date", value: "2008/06/05"); script_set_attribute(attribute:"patch_publication_date", value: "2008/06/03"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:instant_support"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("smb_activex_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Locate the file used by the controls. if (activex_init() != ACX_OK) exit(0); clsid = "{14C1B87C-3342-445F-9B5E-365FF330A3AC}"; file = activex_get_filename(clsid:clsid); if (file) { ver = activex_get_fileversion(clsid:clsid); if (ver && activex_check_fileversion(clsid:clsid, fix:"6.0.10.50") == TRUE) { report = NULL; if (report_paranoia > 1) report = string( "\n", "Version ", ver, " of the vulnerable control is installed as :\n", "\n", " ", file, "\n", "\n", "Note, though, that Nessus did not check whether the kill bit was\n", "set for the control's CLSID because of the Report Paranoia setting\n", "in effect when this scan was run.\n" ); else if (activex_get_killbit(clsid:clsid) == 0) report = string( "\n", "Version ", ver, " of the vulnerable control is installed as :\n", "\n", " ", file, "\n", "\n", "Moreover, its kill bit is not set so it is accessible via Internet\n", "Explorer.\n" ); if (report) { if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report); else security_hole(kb_smb_transport()); } } } activex_end();
References
- http://secunia.com/advisories/30516
- http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf
- http://www.kb.cert.org/vuls/id/558163
- http://www.securityfocus.com/bid/29526
- http://www.securityfocus.com/bid/29531
- http://www.securitytracker.com/id?1020165
- http://www.vupen.com/english/advisories/2008/1740/references
- http://www12.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01422264
- https://exchange.xforce.ibmcloud.com/vulnerabilities/42845