Vulnerabilities > CVE-2013-6040 - Unspecified vulnerability in Mw6Tech products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
mw6tech
critical
nessus
exploit available

Summary

Multiple unspecified vulnerabilities in the MW6 Aztec, DataMatrix, and MaxiCode ActiveX controls allow remote attackers to execute arbitrary code via a crafted HTML document.

Vulnerable Configurations

Part Description Count
Application
Mw6Tech
3

Exploit-Db

  • descriptionMW6 Technologies Aztec ActiveX (Data param) - Buffer Overflow. CVE-2013-6040. Dos exploit for windows platform
    fileexploits/windows/dos/31176.html
    idEDB-ID:31176
    last seen2016-02-03
    modified2014-01-24
    platformwindows
    port
    published2014-01-24
    reporterPedro Ribeiro
    sourcehttps://www.exploit-db.com/download/31176/
    titleMW6 Technologies Aztec ActiveX Data param - Buffer Overflow
    typedos
  • descriptionMW6 Technologies DataMatrix - ActiveX (Data param) - Buffer Overflow. CVE-2013-6040. Dos exploit for windows platform
    fileexploits/windows/dos/31177.html
    idEDB-ID:31177
    last seen2016-02-03
    modified2014-01-24
    platformwindows
    port
    published2014-01-24
    reporterPedro Ribeiro
    sourcehttps://www.exploit-db.com/download/31177/
    titleMW6 Technologies DataMatrix - ActiveX Data param - Buffer Overflow
    typedos
  • descriptionMW6 Technologies MaxiCode ActiveX (Data param) - Buffer Overflow. CVE-2013-6040. Dos exploit for windows platform
    idEDB-ID:31178
    last seen2016-02-03
    modified2014-01-24
    published2014-01-24
    reporterPedro Ribeiro
    sourcehttps://www.exploit-db.com/download/31178/
    titleMW6 Technologies MaxiCode ActiveX Data param - Buffer Overflow

Nessus

NASL familyWindows
NASL idMW6_ACTIVEX_VU219470.NASL
descriptionThe remote Windows host has one or more ActiveX controls from MW6 Technologies ActiveX controls that are affected by multiple buffer overflow vulnerabilities. Specifically, these involve the
last seen2020-06-01
modified2020-06-02
plugin id72179
published2014-01-28
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/72179
titleMW6 Technologies ActiveX Multiple Buffer Overflows
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(72179);
  script_version("1.4");
  script_cvs_date("Date: 2018/11/15 20:50:27");

  script_cve_id("CVE-2013-6040");
  script_bugtraq_id(65038);
  script_xref(name:"CERT", value:"219470");
  script_xref(name:"EDB-ID", value:"31176");
  script_xref(name:"EDB-ID", value:"31177");
  script_xref(name:"EDB-ID", value:"31178");

  script_name(english:"MW6 Technologies ActiveX Multiple Buffer Overflows");
  script_summary(english:"Checks if the kill bit is set on affected controls.");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote Windows host has one or more ActiveX controls installed that
are affected by multiple buffer overflow vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host has one or more ActiveX controls from MW6
Technologies ActiveX controls that are affected by multiple buffer
overflow vulnerabilities.  Specifically, these involve the 'Data'
parameter as used in the Aztec, DataMatrix, and MaxiCode controls, and
successful exploitation could lead to arbitrary code execution."
  );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Jan/137");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/240797/how-to-stop-an-activex-control-from-running-in-internet-explorer");
  script_set_attribute(
    attribute:"solution",
    value:
"There are currently no known fixes; as a workaround, set the kill bit
on the affected ActiveX controls."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/01/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:aztec_activex_control");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:datamatrix_activex_control");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mw6tech:maxicode_activex_control");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
  script_require_ports(139, 445);

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('smb_func.inc');
include('smb_activex_func.inc');

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (activex_init() != ACX_OK) exit(1, 'activex_init() failed.');

clsids = make_list(
  "{2355C601-37D1-42B4-BEB1-03C773298DC8}",
  "{DE7DA0B5-7D7B-4CEA-8739-65CF600D511E}",
  "{F359732D-D020-40ED-83FF-F381EFE36B54}"
);

report = "";

foreach clsid (clsids)
{
  if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
  {
    file = activex_get_filename(clsid:clsid);
    if (!file) continue;

    # Get its version.
    version = activex_get_fileversion(clsid:clsid);
    if (!version) version = "Unknown";

    report +=
      '\n  Class identifier  : ' + clsid +
      '\n  Filename          : ' + file +
      '\n  Installed version : ' + version + '\n';
  }
}
activex_end();

if (report)
{
  if (report_paranoia > 1)
  {
    report +=
    '\n' +
    'Note, though, that Nessus did not check whether the kill bit was\n' +
    'set for each control\'s CLSID because of the Report Paranoia setting' + '\n' +
    'in effect when this scan was run.\n';
  }
  else
  {
    report +=
    '\n' +
    'Moreover, their kill bits are not set so they are accessible via Internet\n' +
    'Explorer.\n';
  }

  port = kb_smb_transport();
  if (report_verbosity > 0) security_hole(port:port, extra:report);
  else security_hole(port:port);
  exit(0);
}
else exit(0, "One or more affected controls were found but the kill bit was set on all of them.");

The Hacker News

idTHN:2B66F4D7468A397BC1CBE217545C45C8
last seen2017-01-08
modified2013-03-02
published2013-03-02
reporterMohit Kumar
sourcehttp://thehackernews.com/2013/03/old-school-hackers-spying-on-european.html
titleOld School Hackers spying on European governments