Vulnerabilities > CVE-2009-2570 - Buffer Errors vulnerability in Symantec Winfax PRO 10.03

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
symantec
CWE-119
critical
nessus
exploit available

Summary

Stack-based buffer overflow in the Symantec.FaxViewerControl.1 ActiveX control in WinFax\DCCFAXVW.DLL in Symantec WinFax Pro 10.03 allows remote attackers to execute arbitrary code via a long argument to the AppendFax method.

Vulnerable Configurations

Part Description Count
Application
Symantec
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionSymantec Fax Viewer Control 10 (DCCFAXVW.DLL) Remote BOF Exploit. CVE-2009-2570. Remote exploit for windows platform
idEDB-ID:8562
last seen2016-02-01
modified2009-04-29
published2009-04-29
reporterNine:Situations:Group
sourcehttps://www.exploit-db.com/download/8562/
titleSymantec Fax Viewer Control 10 DCCFAXVW.DLL Remote BoF Exploit

Nessus

  • NASL familyWindows
    NASL idWINFAX_ACTIVEX_APPENDFAX_OVERFLOW.NASL
    descriptionThe version of the Symantec Fax Viewer Control ActiveX control, a component included with Symantec Winfax Pro and installed on the remote Windows host, reportedly contains a stack-based buffer overflow that can be triggered by calling the
    last seen2020-06-01
    modified2020-06-02
    plugin id38652
    published2009-04-30
    reporterThis script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38652
    titleSymantec Fax Viewer Control ActiveX Control AppendFax Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(38652);
      script_version("1.19");
    
      script_cve_id("CVE-2009-2570");
      script_bugtraq_id(34766);
      script_xref(name:"Secunia", value:"34925");
    
      script_name(english:"Symantec Fax Viewer Control ActiveX Control AppendFax Overflow");
      script_summary(english:"Checks for the control");
     
      script_set_attribute(  attribute:"synopsis",  value:
    "The remote Windows host has an ActiveX control that is affected by a
    buffer overflow vulnerability."  );
      script_set_attribute(  attribute:"description",   value:
    "The version of the Symantec Fax Viewer Control ActiveX control, a
    component included with Symantec Winfax Pro and installed on the
    remote Windows host, reportedly contains a stack-based buffer overflow
    that can be triggered by calling the 'AppendFax' method with an overly
    long argument.  If an attacker can trick a user on the affected host
    into viewing a specially crafted HTML document, he can leverage this
    issue to execute arbitrary code on the affected system subject to the
    user's privileges."  );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.nessus.org/u?1078766b"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"https://seclists.org/bugtraq/2009/Apr/285"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"https://seclists.org/bugtraq/2009/Apr/296"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Remove the affected software as it is no longer supported by Symantec."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(119);
     script_set_attribute(attribute:"plugin_publication_date", value: "2009/04/30");
     script_cvs_date("Date: 2018/11/15 20:50:29");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_hotfixes.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("smb_func.inc");
    include("smb_activex_func.inc");
    
    
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
    
    
    # Locate the file used by the controls.
    if (activex_init() != ACX_OK) exit(0);
    
    clsid = '{C05A1FBC-1413-11D1-B05F-00805F4945F6}';
    file = activex_get_filename(clsid:clsid);
    if (file)
    {
      ver = activex_get_fileversion(clsid:clsid);
    
      if (ver) ver = string("Version ", ver);
      else ver = string("An unknown version");
    
      report = NULL;
      if (report_paranoia > 1)
        report = string(
          "\n",
          ver, " of the vulnerable control is installed as :\n",
          "\n",
          "  ", file, "\n",
          "\n",
          "Note, though, that Nessus did not check whether the kill bit was\n",
          "set for the control's CLSID because of the Report Paranoia setting\n",
          "in effect when this scan was run.\n"
        );
      else if (activex_get_killbit(clsid:clsid) == 0)
        report = string(
          "\n",
          ver, " of the vulnerable control is installed as :\n",
          "\n",
          "  ", file, "\n",
          "\n",
          "Moreover, its kill bit is not set so it is accessible via Internet\n",
          "Explorer.\n"
        );
      if (report)
      {
        if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);
        else security_hole(kb_smb_transport());
      }
    }
    activex_end();
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS10-008.NASL
    descriptionThe Microsoft Data Analyzer ActiveX control has a remote code execution vulnerability. The system may also have one or more vulnerable third-party ActiveX controls installed. A remote attacker could exploit these issues by tricking a user into requesting a maliciously crafted web page, resulting in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id44418
    published2010-02-09
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/44418
    titleMS10-008: Cumulative Security Update of ActiveX Kill Bits (978262)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(44418);
      script_version("1.31");
      script_cvs_date("Date: 2018/11/15 20:50:30");
    
      script_cve_id("CVE-2009-2570", "CVE-2009-3735", "CVE-2010-0252");
      script_bugtraq_id(34766, 38045, 38060, 38066, 38067);
      script_xref(name:"MSFT", value:"MS10-008");
      script_xref(name:"MSKB", value:"978262");
    
      script_name(english:"MS10-008: Cumulative Security Update of ActiveX Kill Bits (978262)");
      script_summary(english:"Checks if several kill bits have been set");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote Windows host is missing an update that disables selected
    ActiveX controls."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "The Microsoft Data Analyzer ActiveX control has a remote code
    execution vulnerability.  The system may also have one or more
    vulnerable third-party ActiveX controls installed.
    
    A remote attacker could exploit these issues by tricking a user into
    requesting a maliciously crafted web page, resulting in arbitrary code
    execution."
      );
      script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-008");
      script_set_attribute(
        attribute:"solution",
        value:
    "Microsoft has released a set of patches for Windows 2000, XP, 2003,
    Vista, 2008, and 7."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(94, 119);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/02/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/02/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, 'Host/patch_management_checks');
    
      exit(0);
    }
    
    
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_activex_func.inc");
    
    
    include("misc_func.inc");
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS10-008';
    kbs = make_list("978262");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    
    if (!get_kb_item("SMB/Registry/Enumerated")) exit(0, "The registry wasn't enumerated.");
    if (hotfix_check_sp(win2k:6, xp:4, win2003:3, vista:3, win7:1) <= 0)
      exit(0, "The host is not affected based on its version / service pack.");
    if (hotfix_check_server_core() == 1) exit(0, "Windows Server Core installs are not affected.");
    if (activex_init() != ACX_OK) exit(1, "Unable to initialize the ActiveX API.");
    
    
    
    kb = "978262";
    
    # Test each control.
    info = "";
    clsids = make_list(
      '{E0ECA9C3-D669-4EF4-8231-00724ED9288F}', # max3activex.dll
      '{C05A1FBC-1413-11D1-B05F-00805F4945F6}', # Symantec WinFax Pro 10.3
      '{5D80A6D1-B500-47DA-82B8-EB9875F85B4D}', # Google Desktop Gadget 5.8
      '{0CCA191D-13A6-4E29-B746-314DEE697D83}', # Facebook Photo Updater 5.5.8
      '{2d8ed06d-3c30-438b-96ae-4d110fdc1fb8}'  # PandaActiveScan Installer 2.0
    );
    
    foreach clsid (clsids)
    {
      if (activex_get_killbit(clsid:clsid) == 0)
      {
        info += '  ' + clsid + '\n';
        if (!thorough_tests) break;
      }
    }
    activex_end();
    
    
    if (info)
    {
      if (report_verbosity > 0)
      {
        if (max_index(split(info)) > 1) s = "s";
        else s = "";
    
        report =
          '\nThe kill bit has not been set for the following control'+s+' :\n\n'+
          info;
    
        if (!thorough_tests)
        {
          report +=
            '\nNote that Nessus did not check whether there were other kill bits\n'+
            'that have not been set because the "Perform thorough tests" setting\n'+
            'was not enabled when this scan was run.\n';
        }
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
      hotfix_security_warning();
    
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
    }
    else exit(0, "The host is not affected.");