Vulnerabilities > CVE-2007-5606 - Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hp
critical
nessus

Summary

Buffer overflow in the MoveFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long argument, a different vulnerability than CVE-2007-5604, CVE-2007-5605, and CVE-2007-5607.

Vulnerable Configurations

Part Description Count
Application
Hp
1

Nessus

  • NASL familyWindows
    NASL idSMB_KB_953839.NASL
    descriptionThe remote host is missing a list of kill bits for ActiveX controls that are known to contain vulnerabilities. If these ActiveX controls are ever installed on the remote host, either now or in the future, they would expose it to various security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33881
    published2008-08-13
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33881
    titleMS KB953839: Cumulative Security Update of ActiveX Kill Bits
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(33881);
     script_version("1.25");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2007-5605", "CVE-2007-5606");
     script_bugtraq_id(27539, 29531, 29532, 30548);
     script_xref(name:"MSKB", value:"953839");
    
     script_name(english:"MS KB953839: Cumulative Security Update of ActiveX Kill Bits");
     script_summary(english:"Determines if the newest kill bits are set");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is missing a security update containing
    ActiveX kill bits.");
     script_set_attribute(attribute:"description", value:
    "The remote host is missing a list of kill bits for ActiveX controls
    that are known to contain vulnerabilities. 
    
    If these ActiveX controls are ever installed on the remote host,
    either now or in the future, they would expose it to various security
    issues.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2008/953839");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released an advisory for KB953839.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/13");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe",value:"cpe:/o:microsoft:windows");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
     
     script_dependencies("smb_hotfixes.nasl");
     script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
     script_require_ports(139, 445);
     exit(0);
    }
    
    
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_activex_func.inc");
    
    
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The 'SMB/Registry/Enumerated' KB item is missing.");
    if (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:2) <= 0)
      exit(0, "The host is not affected based on its version / service pack.");
    if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected.");
    if (activex_init() != ACX_OK) exit(1, "Unable to initialize the ActiveX API.");
    
    
    # Test each control.
    info = "";
    clsids = make_list(
      "{B60770C2-0390-41A8-A8DE-61889888D840}",
      "{44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9}",
      "{76EE578D-314B-4755-8365-6E1722C001A2}",
      "{F89EF74A-956B-4BD3-A066-4F23DF891982}",
      "{101D2283-EED9-4BA2-8F3F-23DB860946EB}",
      "{69C462E1-CD41-49E3-9EC2-D305155718C1}",
      "{41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA}",
      "{108092BF-B7DB-40D1-B7FB-F55922FCC9BE}",
      "{CF08D263-B832-42DB-8950-F40C9E672E27}",
      "{F1F51698-7B63-4394-8743-1F4CF1853DE1}",
      "{905BF7D7-6BC1-445A-BE53-9478AC096BEB}",
      "{916063A5-0098-4FB7-8717-1B2C62DD4E45}",
      "{AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4}",
      "{AE6C4705-0F11-4ACB-BDD4-37F138BEF289}",
      "{FA8932FF-E064-4378-901C-69CB94E3A20A}",
      "{3604EC19-E009-4DCB-ABC5-BB95BF92FD8B}",
      "{65FB3073-CA8E-42A1-9A9A-2F826D05A843}",
      "{7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3}",
      "{9BAFC7B3-F318-4BD4-BABB-6E403272615A}",
      "{05CDEE1D-D109-4992-B72B-6D4F5E2AB731}",
      "{977315A5-C0DB-4EFD-89C2-10AA86CA39A5}",
      "{1E0D3332-7441-44FF-A225-AF48E977D8B6}",
      "{B85537E9-2D9C-400A-BC92-B04F4D9FF17D}",
      "{2C2DE2E6-2AD1-4301-A6A7-DF364858EF01}",
      "{0270E604-387F-48ED-BB6D-AA51F51D6FC3}",
      "{FC28B75F-F9F6-4C92-AF91-14A3A51C49FB}",
      "{86C2B477-5382-4A09-8CA3-E63B1158A377}",
      "{8CC18E3F-4E2B-4D27-840E-CB2F99A3A003}",
      "{68BBCA71-E1F6-47B2-87D3-369E1349D990}",
      "{8DBC7A04-B478-41D5-BE05-5545D565B59C}",
      "{D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6}",
      "{6CA73E8B-B584-4533-A405-3D6F9C012B56}",
      "{6E5E167B-1566-4316-B27F-0DDAB3484CF7}",
      "{A7866636-ED52-4722-82A9-6BAABEFDBF96}",
      "{B0A08D67-9464-4E73-A549-2CC208AC60D3}",
      "{3D6A1A85-DE54-4768-9951-053B3B02B9B0}",
      "{947F2947-2296-42FE-92E6-E2E03519B895}",
      "{47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB}",
      "{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}",
      "{926618A9-4035-4CD6-8240-64C58EB37B07}",
      "{B95B52E9-B839-4412-96EB-4DABAB2E4E24}",
      "{CB05A177-1069-4A7A-AB0A-5E6E00DCDB76}",
      "{A233E654-53FF-43AA-B1E2-60DA2E89A1EC}",
      "{6981B978-70D9-40B9-B00E-903B6FC8CA8A}",
      "{C86EE68A-9C77-4441-BD35-14CC6CC4A189}",
      "{2875E7A5-EE3C-4FE7-A23E-DE0529D12028}",
      "{66E07EF9-4E89-4284-9632-6D6904B77732}",
      "{00D46195-B634-4C41-B53B-5093527FB791}",
      "{497EE41C-CE06-4DD4-8308-6C730713C646}",
      "{7A12547F-B772-4F2D-BE36-CE5D0FA886A1}",
      "{0B9C0C26-728C-4FDA-B8DD-59806E20E4D9}",
      "{F399F5B6-3C63-4674-B0FF-E94328B1947D}",
      "{8C7A23D9-2A9B-4AEA-BA91-3003A316B44D}",
      "{E6127E3B-8D17-4BEA-A039-8BB9D0D105A2}",
      "{A3796166-A03C-418A-AF3A-060115D4E478}",
      "{73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A}",
      "{93C5524B-97AE-491E-8EB7-2A3AD964F926}",
      "{833E62AD-1655-499F-908E-62DCA1EB2EC6}",
      "{285CAE3C-F16A-4A84-9A80-FF23D6E56D68}",
      "{AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B}",
      "{4614C49A-0B7D-4E0D-A877-38CCCFE7D589}",
      "{974E1D88-BADF-4C80-8594-A59039C992EA}",
      "{692898BE-C7CC-4CB3-A45C-66508B7E2C33}",
      "{F6A7FF1B-9951-4CBE-B197-EA554D6DF40D}",
      "{038F6F55-C9F0-4601-8740-98EF1CA9DF9A}",
      "{652623DC-2BB4-4C1C-ADFB-57A218F1A5EE}",
      "{BA162249-F2C5-4851-8ADC-FC58CB424243}",
      "{9275A865-754B-4EDF-B828-FED0F8D344FC}",
      "{6C095616-6064-43ca-9180-CF1B6B6A0BE4}",
      "{E1A26BBF-26C0-401d-B82B-5C4CC67457E0}",
      "{A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98}",
      "{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}",
      "{E4C97925-C194-4551-8831-EABBD0280885}",
      "{CC7DA087-B7F4-4829-B038-DA01DFB5D879}",
      "{14C1B87C-3342-445F-9B5E-365FF330A3AC}",
      "{60178279-6D62-43af-A336-77925651A4C6}",
      "{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}",
      "{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}",
      "{93441C07-E57E-4086-B912-F323D741A9D8}",
      "{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8}",
      "{CF6866F9-B67C-4B24-9957-F91E91E788DC}",
      "{A95845D8-8463-4605-B5FB-4F8CFBAC5C47}",
      "{B9C13CD0-5A97-4C6B-8A50-7638020E2462}",
      "{C70D0641-DDE1-4FD7-A4D4-DA187B80741D}",
      "{DE233AFF-8BD5-457E-B7F0-702DBEA5A828}",
      "{AB049B11-607B-46C8-BBF7-F4D6AF301046}",
      "{910E7ADE-7F75-402D-A4A6-BB1A82362FCA}",
      "{42C68651-1700-4750-A81F-A1F5110E0F66}",
      "{BF931895-AF82-467A-8819-917C6EE2D1F3}",
      "{4774922A-8983-4ECC-94FD-7235F06F53A1}",
      "{E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0}",
      "{C94188F6-0F9F-46B3-8B78-D71907BD8B77}",
      "{6470DE80-1635-4B5D-93A3-3701CE148A79}",
      "{17E67D4A-23A1-40D8-A049-EE34C0AF756A}",
      "{AB237044-8A3B-42BB-9EE1-9BFA6721D9ED}",
      "{784F2933-6BDD-4E5F-B1BA-A8D99B603649}"
    );
    
    foreach clsid (clsids)
    {
      if (activex_get_killbit(clsid:clsid) == 0)
      {
        info += '  ' + clsid + '\n';
        if (!thorough_tests) break;
      }
    }
    activex_end();
    
    
    if (info)
    {
      if (report_verbosity > 0)
      {
        if (max_index(split(info)) > 1) s = "s";
        else s = "";
    
        report = string(
          "\n",
          "The kill bit has not been set for the following control", s, " :\n",
          "\n",
          info
        );
    
        if (!thorough_tests)
        {
          report = string(
            report,
            "\n",
            "Note that Nessus did not check whether there were other kill bits\n",
            "that have not been set because the 'Perofrm thorough tests' setting\n",
            "was not enabled when this scan was run.\n"
          );
        }
        security_warning(port:kb_smb_transport(), extra:report);
      }
      else security_warning(kb_smb_transport());
    }
    
  • NASL familyWindows
    NASL idHPISDATAMANAGER_ACTIVEX_1_0_0_24.NASL
    descriptionThe remote host contains several ActiveX controls in HP Instant Support HPISDataManager.dll, a web-based diagnostic tool from Hewlett-Packard. The version of the controls installed on the remote host reportedly are affected by several issues. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, this method could be used to execute arbitrary code by means of buffer overflows or to execute delete, download, and write to arbitrary files on the affected system, all subject to the user
    last seen2020-06-01
    modified2020-06-02
    plugin id33095
    published2008-06-05
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33095
    titleHP Instant Support HPISDataManager.dll ActiveX Control < 1.0.0.24 Vulnerabilities
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33095);
      script_version("1.18");
    
      script_cve_id(
        "CVE-2007-5604",
        "CVE-2007-5605",
        "CVE-2007-5606",
        "CVE-2007-5607",
        "CVE-2007-5608",
        "CVE-2007-5610",
        "CVE-2008-0952",
        "CVE-2008-0953"
      );
      script_bugtraq_id(
        29529, 
        29530, 
        29531, 
        29532, 
        29533, 
        29534, 
        29535, 
        29536
      );
      script_xref(name:"Secunia", value:"30516");
    
      script_name(english:"HP Instant Support HPISDataManager.dll ActiveX Control < 1.0.0.24 Vulnerabilities");
      script_summary(english:"Checks version of HPISDataManager.dll control");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has several ActiveX controls that are affected
    by multiple vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The remote host contains several ActiveX controls in HP Instant
    Support HPISDataManager.dll, a web-based diagnostic tool from
    Hewlett-Packard. 
    
    The version of the controls installed on the remote host reportedly
    are affected by several issues.  If an attacker can trick a user on
    the affected host into viewing a specially crafted HTML document, 
    this method could be used to execute arbitrary code by means of
    buffer overflows or to execute delete, download, and write to
    arbitrary files on the affected system, all subject to the user's
    privileges." );
     script_set_attribute(attribute:"see_also", value:"http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/29" );
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Jun/26" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to HP Instant Support version 1.0.0.24 or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_cwe_id(94);
     script_set_attribute(attribute:"plugin_publication_date", value: "2008/06/05");
     script_set_attribute(attribute:"patch_publication_date", value: "2008/06/03");
     script_cvs_date("Date: 2018/11/15 20:50:27");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:instant_support");
     script_end_attributes();
    
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("smb_func.inc");
    include("smb_activex_func.inc");
    
    
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
    
    
    # Locate the file used by the controls.
    if (activex_init() != ACX_OK) exit(0);
    
    clsid = "{14C1B87C-3342-445F-9B5E-365FF330A3AC}";
    file = activex_get_filename(clsid:clsid);
    if (file)
    {
      ver = activex_get_fileversion(clsid:clsid);
      if (ver && activex_check_fileversion(clsid:clsid, fix:"6.0.10.50") == TRUE)
      {
        report = NULL;
        if (report_paranoia > 1)
          report = string(
            "\n",
            "Version ", ver, " of the vulnerable control is installed as :\n",
            "\n",
            "  ", file, "\n",
            "\n",
            "Note, though, that Nessus did not check whether the kill bit was\n",
            "set for the control's CLSID because of the Report Paranoia setting\n",
            "in effect when this scan was run.\n"
          );
        else if (activex_get_killbit(clsid:clsid) == 0)
          report = string(
            "\n",
            "Version ", ver, " of the vulnerable control is installed as :\n",
            "\n",
            "  ", file, "\n",
            "\n",
            "Moreover, its kill bit is not set so it is accessible via Internet\n",
            "Explorer.\n"
          );
        if (report)
        {
          if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);
          else security_hole(kb_smb_transport());
        }
      }
    }
    activex_end();