Vulnerabilities > CVE-2009-2570 - Buffer Errors vulnerability in Symantec Winfax PRO 10.03
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the Symantec.FaxViewerControl.1 ActiveX control in WinFax\DCCFAXVW.DLL in Symantec WinFax Pro 10.03 allows remote attackers to execute arbitrary code via a long argument to the AppendFax method.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Symantec Fax Viewer Control 10 (DCCFAXVW.DLL) Remote BOF Exploit. CVE-2009-2570. Remote exploit for windows platform |
| id | EDB-ID:8562 |
| last seen | 2016-02-01 |
| modified | 2009-04-29 |
| published | 2009-04-29 |
| reporter | Nine:Situations:Group |
| source | https://www.exploit-db.com/download/8562/ |
| title | Symantec Fax Viewer Control 10 DCCFAXVW.DLL Remote BoF Exploit |
Nessus
NASL family Windows NASL id WINFAX_ACTIVEX_APPENDFAX_OVERFLOW.NASL description The version of the Symantec Fax Viewer Control ActiveX control, a component included with Symantec Winfax Pro and installed on the remote Windows host, reportedly contains a stack-based buffer overflow that can be triggered by calling the last seen 2020-06-01 modified 2020-06-02 plugin id 38652 published 2009-04-30 reporter This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/38652 title Symantec Fax Viewer Control ActiveX Control AppendFax Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(38652); script_version("1.19"); script_cve_id("CVE-2009-2570"); script_bugtraq_id(34766); script_xref(name:"Secunia", value:"34925"); script_name(english:"Symantec Fax Viewer Control ActiveX Control AppendFax Overflow"); script_summary(english:"Checks for the control"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host has an ActiveX control that is affected by a buffer overflow vulnerability." ); script_set_attribute( attribute:"description", value: "The version of the Symantec Fax Viewer Control ActiveX control, a component included with Symantec Winfax Pro and installed on the remote Windows host, reportedly contains a stack-based buffer overflow that can be triggered by calling the 'AppendFax' method with an overly long argument. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage this issue to execute arbitrary code on the affected system subject to the user's privileges." ); script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1078766b" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Apr/285" ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Apr/296" ); script_set_attribute( attribute:"solution", value:"Remove the affected software as it is no longer supported by Symantec." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2009/04/30"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("smb_func.inc"); include("smb_activex_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Locate the file used by the controls. if (activex_init() != ACX_OK) exit(0); clsid = '{C05A1FBC-1413-11D1-B05F-00805F4945F6}'; file = activex_get_filename(clsid:clsid); if (file) { ver = activex_get_fileversion(clsid:clsid); if (ver) ver = string("Version ", ver); else ver = string("An unknown version"); report = NULL; if (report_paranoia > 1) report = string( "\n", ver, " of the vulnerable control is installed as :\n", "\n", " ", file, "\n", "\n", "Note, though, that Nessus did not check whether the kill bit was\n", "set for the control's CLSID because of the Report Paranoia setting\n", "in effect when this scan was run.\n" ); else if (activex_get_killbit(clsid:clsid) == 0) report = string( "\n", ver, " of the vulnerable control is installed as :\n", "\n", " ", file, "\n", "\n", "Moreover, its kill bit is not set so it is accessible via Internet\n", "Explorer.\n" ); if (report) { if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report); else security_hole(kb_smb_transport()); } } activex_end();NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-008.NASL description The Microsoft Data Analyzer ActiveX control has a remote code execution vulnerability. The system may also have one or more vulnerable third-party ActiveX controls installed. A remote attacker could exploit these issues by tricking a user into requesting a maliciously crafted web page, resulting in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 44418 published 2010-02-09 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44418 title MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(44418); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2570", "CVE-2009-3735", "CVE-2010-0252"); script_bugtraq_id(34766, 38045, 38060, 38066, 38067); script_xref(name:"MSFT", value:"MS10-008"); script_xref(name:"MSKB", value:"978262"); script_name(english:"MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262)"); script_summary(english:"Checks if several kill bits have been set"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host is missing an update that disables selected ActiveX controls." ); script_set_attribute( attribute:"description", value: "The Microsoft Data Analyzer ActiveX control has a remote code execution vulnerability. The system may also have one or more vulnerable third-party ActiveX controls installed. A remote attacker could exploit these issues by tricking a user into requesting a maliciously crafted web page, resulting in arbitrary code execution." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-008"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista, 2008, and 7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(94, 119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/29"); script_set_attribute(attribute:"patch_publication_date", value:"2010/02/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_activex_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-008'; kbs = make_list("978262"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The registry wasn't enumerated."); if (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:3, win7:1) <= 0) exit(0, "The host is not affected based on its version / service pack."); if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected."); if (activex_init() != ACX_OK) exit(1, "Unable to initialize the ActiveX API."); kb = "978262"; # Test each control. info = ""; clsids = make_list( '{E0ECA9C3-D669-4EF4-8231-00724ED9288F}', # max3activex.dll '{C05A1FBC-1413-11D1-B05F-00805F4945F6}', # Symantec WinFax Pro 10.3 '{5D80A6D1-B500-47DA-82B8-EB9875F85B4D}', # Google Desktop Gadget 5.8 '{0CCA191D-13A6-4E29-B746-314DEE697D83}', # Facebook Photo Updater 5.5.8 '{2d8ed06d-3c30-438b-96ae-4d110fdc1fb8}' # PandaActiveScan Installer 2.0 ); foreach clsid (clsids) { if (activex_get_killbit(clsid:clsid) == 0) { info += ' ' + clsid + '\n'; if (!thorough_tests) break; } } activex_end(); if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s"; else s = ""; report = '\nThe kill bit has not been set for the following control'+s+' :\n\n'+ info; if (!thorough_tests) { report += '\nNote that Nessus did not check whether there were other kill bits\n'+ 'that have not been set because the "Perform thorough tests" setting\n'+ 'was not enabled when this scan was run.\n'; } hotfix_add_report(info, bulletin:bulletin, kb:kb); } hotfix_security_warning(); set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); } else exit(0, "The host is not affected.");
References
- http://osvdb.org/54137
- http://retrogod.altervista.org/9sg_symantec_win_fuck_pro.html
- http://secunia.com/advisories/34925
- http://www.securityfocus.com/archive/1/503074/100/0/threaded
- http://www.securityfocus.com/archive/1/503086/100/0/threaded
- http://www.securityfocus.com/archive/1/503163/100/0/threaded
- http://www.securityfocus.com/bid/34766
- http://www.securitytracker.com/id?1022147
- http://www.vupen.com/english/advisories/2009/1221
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-008