EdrawSoft Office Viewer Component ActiveX version 5.6.5781 suffers from a buffer overflow vulnerability when parsing large amount of bytes to the FtpUploadFile member in FtpUploadFile() function, resulting memory corruption overwriting several registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.
aa458d428c88b317e3d19885fabb2292797100d9c42881cb18343f476bfa04ebZero Day Initiative Advisory 12-020 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the SaveDoc and PrintFile functions exposed by the VsVIEW6.ocx ActiveX control. The SaveDoc function causes a file to be created at an arbitrary path specified by the first argument (FileName). The file contents can be controlled by setting the 'Header' member and calling PrintFile() with the same path argument. These behaviors can be exploited by a remote attacker to execute arbitrary code on the target system.
0e61a6e226350f291abb2c1d035a02dd7b420e246ac20734c7e602223f151f77Zero Day Initiative Advisory 12-019 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within SetLicenseInfoEx() method exposed by the mraboutb.dll ActiveX Control. String data supplied to the first parameter (strInstallDir) of SetLicenseInfoEx() is copied into a 256 byte global buffer without first checking the string length. This overflow can be exploited to remotely execute arbitrary code on the target system.
854bc2e262fff88ef741e78bf82fffb4832ad1b7eb87f4f13c662b94e8d6c14eTracker Software pdfSaver ActiveX control (pdfxctrl.dll) version 3.60.0128 suffers from stack buffer overflow vulnerability.
1f74a1a4ce723616f317b2c385cfb28c0333209fe68e3f334202488fee4929f5This Metasploit module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
2fdc9c5c7f7d444b003b94e6d9ac9413e9711bc63c367b5bb555b0a3a0fecd1cThis Metasploit module allows remote attackers to place arbitrary files on a users file system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr" class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll 2.7.2.0). Code execution can be achieved by first uploading the payload to the remote machine embedding a vbs file, and then upload another mof file, which enables Windows Management Instrumentation service to execute the vbs. Please note that this module currently only works for Windows before Vista.
c66cbdd79894baf457dc97ef60cf3e98f8679bc1cdd968b80f389d4705ee544fThis Metasploit module exploits a vulnerability found in McAfee Security-as-a-Service. The ShowReport() function (located in the myCIOScn.dll ActiveX component) fails to check the FileName argument, and passes it on to a ShellExecuteW() function, therefore allows any malicious attacker to execute any process that's on the local system. However, if the victim machine is connected to a remote share (or something similar), then it's also possible to execute arbitrary code. Please note that a custom template is required for the payload, because the default Metasploit template is detectable by McAfee -- any Windows binary, such as calc.exe or notepad.exe, should bypass McAfee fine.
debeb437470fa8e3b3a3c92cf587bcdbed8db74bfac9bf2f8a818ac7dc6ffb9dSecunia Security Advisory - Parvez Anwar has discovered a weakness in HP PKI ActiveX control, which can be exploited by malicious people to cause a DoS (Denial of Service).
ca79902a496720c54c8d371eff1416a450cbf56cf7f93599f1ae157f4f7a18e6Zero Day Initiative Advisory 12-014 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Easy Printer Care. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XMLSimpleAccessor ActiveX control (CLSID: {466576F3-19B6-4FF1-BD48-3E0E1BFB96E9}). By passing an overlong string to the LoadXML() method it is possible to trigger a heap corruption vulnerability. A remote attacker could exploit this vulnerability to execute arbitrary code on the affected machine under the context of the user running the Internet Explorer process.
4c0d8147a4cc744a03c4b805f15c9dfd3c1b87e71dd48d95d2810e446ce52c6dZero Day Initiative Advisory 12-013 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Easy Printer Care. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XMLCacheMgr class ActiveX control (CLSID 6F255F99-6961-48DC-B17E-6E1BCCBC0EE3). The CacheDocumentXMLWithId() method is vulnerable to directory traversal and arbitrary write, which allows an attacker to write malicious content to the filesystem. A remote attacker could leverage this vulnerability to gain code execution under the context of the web browser.
fb8b831fc3f8ef0caabf7245c41d9901f42f711cc94d051774a0ba7e986d52a1Secunia Research has discovered a vulnerability in NTR ActiveX control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by missing input validation in the handling of the "StopModule()" method and can be exploited via a specially crafted "lModule" parameter to reference an expected module structure at an arbitrary memory address. This can be exploited to dereference an arbitrary value in memory as a function pointer. Successful exploitation allows execution of arbitrary code. NTR ActiveX Control version 1.1.8 is affected.
f4c7913670d60302279ef9cbc25fdd9fd7774592fda24b75eade05cc79505853Secunia Research has discovered four buffer overflows in the NTR ActiveX control, which can be exploited by malicious people to compromise a user's system. NTR ActiveX Control version 1.1.8 is affected.
749b21b3ffb4706107fa23982681c9002436ae13b7acd96089e1d8988fdcb778Secunia Security Advisory - Secunia Research has discovered multiple vulnerabilities in NTR ActiveX control, which can be exploited by malicious people to compromise a user's system.
5a0bf7c4dc4475cb359176df4b7139e7e02f704e20a1c2650c326eadf6978001VUPEN Vulnerability Research Team discovered a vulnerability in Adobe Flash Player. The vulnerability is caused by an uninitialized stack variable when processing an invalid "SAlign" property of the Flash ActiveX control, which could be exploited by remote attackers to compromise a vulnerable system via a specially crafted web page. Versions prior to 11.1.102.55 are affected.
10561391d54ae2a2a00c408b11bdbca9246b41da1060d29b93367e7f6c836d46Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method. The victim will first be required to trust the publisher Viscom Software. This Metasploit module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7 with Java support.
902c4d348e0eb89f02c1aff016e36bb2f309e424dad941285a19cf704212a739Secunia Security Advisory - Secunia Research has discovered a vulnerability in DVR Remote ActiveX Control, which can be exploited by malicious people to compromise a user's system.
23f1efc9d6e496431a8e8c869d66a0c3e776bd5c6c160ef5a33da2d141374643Secunia Research has discovered a vulnerability in DVR Remote ActiveX Control version 2.1.0.39, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by the ActiveX control during instantiation automatically downloading and loading DVRobot.dll from the "manifest" folder of the web server invoking the ActiveX control. Successful exploitation allows execution of arbitrary code via a specially crafted web page and hosted DVRobot.dll file.
e641c5041e65c7dcb486319e4f9f229021c6007e19079a2a67952f9abfd2a4b8Zero Day Initiative Advisory 11-318 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Zenworks Software Packaging. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the function LaunchProcess exposed via the LaunchHelp.dll ActiveX Control (ProgID LaunchHelp.HelpLauncher.1). The first argument to LaunchProcess is a path to a command to execute, but the argument is not sanitized and is subject to directory traversal. This can be exploited to execute arbitrary commands on the user's system.
414aacdeaade097f375906131317048411d761ffbad30cc32727276540651352Zero Day Initiative Advisory 11-317 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENWorks. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists due to the inclusion and usage of an antique ActiveX control (mscomct2.ocx: Tue Mar 14 18:39:28 2000). Though mscomct2.ocx has been killbitted, it is accessed by ZENWorks via an intermediate control (ISList.ISAvi) which is scriptable. Multiple vulnerabilities in mscomct2.ocx can be exploited to execute arbitrary code on the host system in the context of the browser.
4a2b8be9eb397d3b748dd8e1b7395759b6efcfc479b576418226409f61e71bfbSecunia Security Advisory - A vulnerability has been discovered in Bennet-Tec TList ActiveX Control, which can be exploited by malicious people to compromise a user's system.
8f8a950f99e22dc7046d955be0900a1a5c15511ea3e85255d549b4b108976b03The GDTelcom Speedtest active-x control suffers from a remote denial of service vulnerability.
fdbf2fe779b3ff14c40626597da07f02956ca4255fb890932c52ef652bc4d5b4Oracle Hyperion Financial Management suffers from a code execution vulnerability in the TList6 active-x control.
a59b5e3567a781774f959f2ec3772f48798978127e2d4cbe4bbc80b6256ae281Microsys PROMOTIC version 8.1.4 suffers from a code execution vulnerability due to an uninitialized pointer that is exploitable via the GetPromoticSite method of the PmTable.ocx active-x control.
b0a62dda9986c2c4f7a5bd5b6f586762d0e8b4383c7500db646fd8cb0ea01ab5Oracle AutoVue version 20.0.1 suffers from an AutoVueX Active-X Control SaveViewStateToFile remote file creation / overwrite vulnerability. Proof of concept code included.
aeb1dfdd12a44a730bcec5864f95e60c365b938d372f776b6178f5919b0b4cf8Oracle AutoVue version 20.0.1 suffers from an AutoVueX Active-X Control Export3DBom remote code execution vulnerability. Proof of concept code included.
f6e3523ba390057db8b6b08be7f5fe37093ca96f4f6757e658263c95e5e02a38
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed