Vulnerabilities > CVE-2007-5775 - Buffer Overflow vulnerability in BitDefender Online Scanner OScan.OCX ActiveX Control Heap

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
bitdefender
critical
nessus
exploit available

Summary

Unspecified vulnerability in BitDefender allows attackers to execute arbitrary code via unspecified vectors, aka EEYEB-20071024. NOTE: as of 20071029, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Vulnerable Configurations

Part Description Count
Application
Bitdefender
3

Exploit-Db

descriptionBitDefender Online Scanner 8 ActiveX Heap Overflow Exploit. CVE-2007-5775,CVE-2007-6189. Remote exploit for windows platform
fileexploits/windows/remote/4663.html
idEDB-ID:4663
last seen2016-01-31
modified2007-11-27
platformwindows
port
published2007-11-27
reporterNphinity
sourcehttps://www.exploit-db.com/download/4663/
titleBitDefender Online Scanner 8 - ActiveX Heap Overflow Exploit
typeremote

Nessus

NASL familyWindows
NASL idBITDEFENDER_OSCAN8_ACTIVEX_DOUBLE_DECODE_OVERFLOW.NASL
descriptionThe remote host contains the
last seen2020-06-01
modified2020-06-02
plugin id28332
published2007-11-27
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/28332
titleBitDefender Online Anti-Virus Scanner ActiveX OScan8.ocx / OScan8.ocx InitX Method Arbitrary Code Execution
code
#
#  (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(28332);
  script_version("1.17");

  script_cve_id("CVE-2007-5775");
  script_bugtraq_id(26210);

  script_name(english:"BitDefender Online Anti-Virus Scanner ActiveX OScan8.ocx / OScan8.ocx InitX Method Arbitrary Code Execution");
  script_summary(english:"Checks version of BDSCANONLINE ActiveX control");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by a
buffer overflow vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host contains the 'BDSCANONLINE' ActiveX control, used by
the BitDefender Online Scanner, a web-based virus scanner.

The version of this control installed on the remote host fails to
properly validate Unicode values passed to the 'InitX' function as a
domain key.  If a remote attacker can trick a user on the affected
host into visiting a specially crafted web page, these issues could be
leveraged to allocate arbitrary heap-based memory and overwrite memory
within the Internet Explorer or host ActiveX process, which could
result in execution of arbitrary code on the host subject to the
user's privileges." );
 script_set_attribute(attribute:"see_also", value:"https://www.beyondtrust.com/resources/blog/research/" );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483986/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"The vendor has reportedly released an update that can be obtained
by visiting the URL below, running a scan, and allowing the scanner to
update the antivirus engine :

http://www.bitdefender.com/scan8/ie.html" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/11/27");
 script_cvs_date("Date: 2018/11/15 20:50:26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe",value:"cpe:/a:bitdefender:antivirus");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Locate the file used by the controls.
if (activex_init() != ACX_OK) exit(0);

info = "";
clsids = make_list(
  "{4FA3B676-FF36-4967-B283-19AE85D7D4E6}",
  "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}"
);
foreach clsid (clsids)
{
  file = activex_get_filename(clsid:clsid);
  if (file && file =~ "oscan(8|81)\.ocx")
  {
    if (
      report_paranoia > 1 ||
      activex_get_killbit(clsid:clsid) == 0
    )
    {
      info += '  ' + file + '\n';
      if (!thorough_tests) break;
    }
  }
}
activex_end();


if (info)
{
  report = string(
    "\n",
    "Nessus found the following affected control(s) installed :\n",
    "\n",
    info
  );

  if (!thorough_tests)
  {
    report = string(
      report,
      "\n",
      "Note that Nessus did not check whether there were other instances\n",
      "installed because the 'Perform thorough tests' setting was not enabled\n",
      "when this scan was run.\n"
    );
  }

  if (report_paranoia > 1)
    report = string(
      report,
      "\n",
      "Note that Nessus did not check whether the kill bit was set for\n",
      "the control(s) because of the Report Paranoia setting in effect\n",
      "when this scan was run.\n"
    );
  else 
    report = string(
      report,
      "\n",
      "Moreover, the kill bit was  not set for the control(s) so they\n",
      "are accessible via Internet Explorer.\n"
    );
  security_hole(port:kb_smb_transport(), extra:report);
}

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 26210 CVE(CAN) ID: CVE-2007-5775 BitDefender Online Scanner是一款免费的在线杀毒软件。 BitDefender在线扫描器所捆绑的OScan.ocx控件中存在远程代码执行漏洞,远程攻击者可能利用此漏洞在用户系统上执行任意指令。 OScan.ocx的有漏洞函数为InitX,该函数取得了bstrLocation的字符串参数值用于确认调用域。InitX的IDL类似于以下: Function InitX { ByVal bstrLocation as String } As Boolean 这个功能用于保护ActiveX控件防止从授权域之外初始化。用户可以提交请求向站点上传这个控件,然后获得初始化密钥。用户域是由以下16进制密钥处理的: AvxUI.InitX('000000408E45E3394593BF66F0C93C6CF90AF0F0 AB417E17657D7F328A2312ACBE0B139EF3EBFB69 939B1C3B24D8BC392D752B8408EAACCD809B94D3 8B8F9B5E97B1C1A6') 在处理并确认了这个域密钥后才会初始化控件并接受用户命令开始扫描文件,但在处理传送给有漏洞函数域密钥的Unicode值时存在双重解码漏洞。如果向域密钥值附加了两个??(0x25)字符就会触发这个漏洞,导致OScan.ocx双重解码Unicode参数并分配任意内存。结合超长字符串,就可能导致堆内存破坏的情况。这种堆溢出允许使用任意用户畸形字符串的数据覆盖Internet Explorer或主机ActiveX进程中的内存。尽管攻击者无法控制发生内存覆盖的位置,但漏洞仍可能覆盖Internet Explorer或主机ActiveX进程之后调用的指针,因此可能执行任意指令。 Softwin BitDefender Online Scanner 8 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.bitdefender.com/scan8/ie.html target=_blank>http://www.bitdefender.com/scan8/ie.html</a>
idSSV:2485
last seen2017-11-19
modified2007-11-22
published2007-11-22
reporterRoot
titleBitDefender在线扫描器OScan.OCX ActiveX控件堆溢出漏洞