Vulnerabilities > CVE-2008-0082 - Information Exposure vulnerability in Microsoft Windows Messenger 4.7/5.1

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-200
critical
nessus
NVD
Published: 2008-08-13
Updated: 2018-10-15

Summary

An ActiveX control (Messenger.UIAutomation.1) in Windows Messenger 4.7 and 5.1 is marked as safe-for-scripting, which allows remote attackers to control the Messenger application, and "change state," obtain contact information, and establish audio or video connections without notification via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-050.NASL
descriptionThe remote host is running Windows Messenger. There is a vulnerability in the remote version of this software that may lead to an information disclosure which could allow an attacker to change the state of a user, to get contact information or to initiate audio and video chat sessions.
last seen2020-06-01
modified2020-06-02
plugin id33879
published2008-08-13
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/33879
titleMS08-050: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(33879);
 script_version("1.29");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2008-0082");
 script_bugtraq_id(30551);
 script_xref(name:"MSFT", value:"MS08-050");
 script_xref(name:"MSKB", value:"899283");

 script_name(english:"MS08-050: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702)");
 script_summary(english:"Checks the version of Windows Messenger");

 script_set_attribute(attribute:"synopsis", value:
"The remote host is vulnerable to an information disclosure due to
Windows Messenger");
 script_set_attribute(attribute:"description", value:
"The remote host is running Windows Messenger.

There is a vulnerability in the remote version of this software that may
lead to an information disclosure which could allow an attacker to
change the state of a user, to get contact information or to initiate
audio and video chat sessions.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-050");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(200);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/08/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS08-50';
kb = '899283';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);

# nb: Windows 2000 with Windows Messenger 4.7 is affected, but
#     Microsoft says 4.7 is not supported on Windows 2000.
if (hotfix_check_sp_range(xp:'2,3', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_programfilesdir();
if (!rootfile) exit(1, "Failed to get the Program Files directory.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", file:"Msgsc.dll", version:"4.7.0.3002", path:rootfile, dir:"\Messenger", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", file:"Msgsc.dll", version:"4.7.0.3002", path:rootfile, dir:"\Messenger", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2015-05-04T04:00:20.672-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSecure Elements, Inc.
  • nameDragos Prisaca
    organizationSecure Elements, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMSN Messenger 4.7 is installed
    ovaloval:org.mitre.oval:def:6101
  • commentMSN Messenger 5.1 is installed
    ovaloval:org.mitre.oval:def:5691
descriptionAn ActiveX control (Messenger.UIAutomation.1) in Windows Messenger 4.7 and 5.1 is marked as safe-for-scripting, which allows remote attackers to control the Messenger application, and "change state," obtain contact information, and establish audio or video connections without notification via unknown vectors.
familywindows
idoval:org.mitre.oval:def:5995
statusaccepted
submitted2008-08-13T09:28:00
titleWindows Messenger Information Disclosure Vulnerability
version12

Seebug

  • bulletinFamilyexploit
    descriptionCVE-2008-0082 When installing Windows XP, an old edition of MSN Messenger is installed automatically. The old edition opens the MSN API to develop as an ActiveX Control, and marks it with &quot;safe&quot;. By using this ActiveX Control, we can control the local MSN Messenger, for instance: change state, gain current login ID, steal contact-person's information, send mail using the victim's name, and so on, all of these functions given by this feature can be considered to be security problems. Even the user installs a higher edition of MSN Messenger(Windows Live Messenger), this ActiveX control will not be removed. By using this we will still be allowed to visit the local Live Messenger. Windows Live Messenger存在非法访问漏洞。恶性攻击者可以控制Live Messenger构建恶意网页,一旦受害者访问这个网页,攻击者可以控制本地Live Messenger的,包括披露的个人敏感信息,远程等 Microsoft Windows Live Messenger 4.7 on Windows XP and Windows Server 2003 Microsoft Windows Live Messenger 5.1 on Windows 2000, Windows XP and Windows Server 2003 Microsoft has released an advisory for this vulnerability which can be found at: <a href=http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx target=_blank>http://www.microsoft.com/technet/security/bulletin/ms08-050.mspx</a>
    idSSV:3883
    last seen2017-11-19
    modified2008-08-20
    published2008-08-20
    reporterRoot
    titleMicrosoft Windows Messenger Remote Illegal Access Vulnerability
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 30551 CVE(CAN) ID: CVE-2008-0082 Windows Messenger是Windows操作系统中默认捆绑的即时聊天工具。 在安装Windows XP的时候会自动安装旧版本的MSN Messenger,这个版本打开MSN API运行ActiveX控件Messenger.UIAutomation.1并标记为safe。对这个控件执行脚本操作可能导致以登录用户的环境泄露信息。攻击者可以在登录用户不知情的情况下更改状态、获取联系人信息以及启动音频和视频聊天会话,还可以捕获用户的登录ID并以该用户的身份远程登录用户的Messenger客户端。 即使安装了高版本的MSN Messenger(Windows Live Messenger),仍不会删除有漏洞的ActiveX控件。 Microsoft Windows Messenger 5.1 Microsoft Windows Messenger 4.7 临时解决方法: * 将Internet Explorer配置为在Internet和本地Intranet安全区域中运行ActiveX控件之前进行提示。 * 将Internet 和本地Intranet安全区域设置设为“高”,以便在这些区域中运行ActiveX控件和活动脚本之前进行提示。 * 为Messenger.UIAutomation.1控件设置killbit。请将以下文本粘贴到记事本等文本编辑器中,然后使用.reg文件扩展名保存文件。 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B69003B3-C55E-4b48-836C-BC5946FC3B28}] &quot;Compatibility Flags&quot;=dword:00000400 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-050)以及相应补丁: MS08-050:Vulnerability in Windows Messenger Could Allow Information Disclosure (955702) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/MS08-050.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/bulletin/MS08-050.mspx?pf=true</a>
    idSSV:3855
    last seen2017-11-19
    modified2008-08-15
    published2008-08-15
    reporterRoot
    titleMicrosoft Windows Messenger ActiveX控件信息泄露漏洞(MS08-050)

References