Secunia Research has discovered a vulnerability in Citrix Access Gateway Plug-in for Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by a boundary error in the nsepacom ActiveX control (nsepa.exe) when processing HTTP responses based on the request via the "StartEpa()" method. This can be exploited to cause a heap-based buffer overflow via an overly long "CSEC" HTTP response header. Successful exploitation allows execution of arbitrary code. Citrix Access Gateway Plug-in for Windows version 9.3.49.5 is affected.
88190841a21f5703514230e00d059f52693aa6867752ab05cf5658926bb7ec55Secunia Research has discovered a vulnerability in Citrix Access Gateway Plug-in for Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused by an integer overflow error in the nsepacom ActiveX control (nsepa.exe) when processing HTTP responses based on the request via the "StartEpa()" method. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Content-Length" HTTP response header. Successful exploitation may allow execution of arbitrary code. Citrix Access Gateway Plug-in for Windows version 9.3.49.5 is affected.
e3fca65bdb01a3b7b24ef54cae23d5e08cd0034667d410d5364cab845d4fe8a7BarCodeWiz Barcode version 4.0.0.0 suffers from an active-x buffer overflow vulnerability.
b100107c50c5435e8468ce713c08d01fee63a0729c92fd3d29da921ea87d64b1Morovia Barcode Professional version 3.8.0 suffers from an active-x file overwrite vulnerability.
1e1a448e430489bae7191a00ab4a67b6395df19750905d33595b962ce815c5a4Secunia Research has discovered a vulnerability in Cisco Linksys PlayerPT ActiveX Control, which can be exploited by malicious people to compromise a user's system. Successful exploitation allows execution of arbitrary code. Cisco Linksys PlayerPT ActiveX Control version 1.0.0.15 is affected. Other versions may also be affected.
a88c10267158fe9cf2d434bc63948819deb102117186a70288596b16e3102081WinGraphviz suffers from an active-x heap overflow vulnerability.
3f6c0b7d807e74cd9fa8d751cc0f4d471d353406a2b674cf66604828a356fc22This Metasploit module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run arbitrary commands on the victim machine. This Metasploit module has been successfully tested with the ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.
56cf9879c132897ee3261274e09284b0d6081bb9dd195db9cee39698cd90dbbaThis Metasploit module exploits a function prototype mismatch on the CQOle ActiveX control in IBM Rational ClearQuest versions prior to 7.1.1.9, 7.1.2.6 or 8.0.0.2 which allows reliable remote code execution when DEP is not enabled.
387ecb02a357ac85525e1e50243fe56012c1987ea3f8ba4a3ee336ab0fb98ed5A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle AutoVue. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AutoVueX.ocx ActiveX object. There exists a method SetMarkupMode() that takes an unbounded string as an argument and copies it to a fixed-length buffer on the stack. This can lead to memory corruption which can be leveraged to execute code under the context of the process.
d0b8d50ce085b0435944a0735fd5ffce0d7e03f8b5c5b4f151b32a911007ff7aZero Day Initiative Advisory 12-113 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Rational ClearQuest. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the CQOle ActiveX control. A function prototype mismatch in an ActiveX wrapper results in an extra argument to be pushed onto the stack, thereby misaligning the stack offset. When the function returns, it can be made to jump to a memory address provided via the ActiveX method call. This can be leveraged to execute arbitrary code under the context of the user running the browser.
ee2420a705a26ed773b1354114c6612b6c63f17469cb4b7177fbc350de395af5Secunia Security Advisory - A vulnerability has been reported in AOL dnUpdater ActiveX Control, which can be exploited by malicious people to compromise a user's system.
fc7a2a87cf39494972026c879d31baadb70d85fcacc86227d58fd63a49bc0a39Zero Day Initiative Advisory 12-098 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of America Online's Toolbar, Desktop, IM, and winamp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the dnUpdater ActiveX Control. When initializing the ActiveX control object, dnu.exe assumes the 5th argument being used for the Init() method, to be a legitimate pointer to a function. This vulnerability can be leveraged to execute code under the context of the user.
a43f556f3d5f1fb2f42adb830bd5d07dc569dc14ea9ec83ad846c3de1fe60ccbThis Metasploit module exploits a remote code execution vulnerability in the tsgetx71ex553.dll ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect initialization under Internet Explorer. While the Tom Sawyer GET Extension Factory is installed with some versions of VMware Infrastructure Client, this module has been tested only with the versions installed with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX control tested is tsgetx71ex553.dll, version 5.5.3.238. This Metasploit module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The dll is installed by default with the Embarcadero software, and loaded by the targeted ActiveX.
9ea26d2b6cb47fda41b9580e28eab68d2c736833da3e4ee9317fb28219b79c3fSecunia Security Advisory - A vulnerability has been reported in IBM Lotus iNotes Upload Module ActiveX Control, which can be exploited by malicious people to compromise a user's system.
40e9f74c75d1237580598b99e0be31ef77450d820802b7f030363c43fe53bd34This Metasploit module exploits a vulnerability in the CNC_Ctrl.dll ActiveX installed with the Samsung NET-i viewer 1.37. Specifically, when supplying a long string for the fname parameter to the BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer overflow due to the use of memcpy with an incorrect size, resulting in remote code execution under the context of the user.
03a28d9b585a04552b2af08e30b7a0771b1cda34693418914dcb8507b373570aSecunia Security Advisory - High-Tech Bridge SA has reported two vulnerabilities in Sony VAIO WifiMan ActiveX Control, which can be exploited by malicious people to compromise a user's system.
16d2dcdaca32ea3a14cba50e2b54183d2bc77f0fef4e5db5fe5eeb062be8f9a9SkinCrafter active-x control version 3.0 suffers from a buffer overflow vulnerability.
30d450dc3599d00c2b250dec0560160d749a900ba9963b7810e0f6b67cf7e422DecisionTools SharpGrid suffers from an active-x related remote command execution vulnerability.
605cb9c8ab0da81a67bc37b2736bffbfe9257a79f8659b7b27c6c01c05f9abb7This Metasploit modules exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.
ec86fdc2f4cc78d676680abb952cb10427dad174e2bed743fc0d8633dd49510aSamsung NET-i Viewer version 1.37 active-x SEH overwrite exploit.
89a65827884b5491e386120caa8f2acc5d2507db952b044c4deacb9cceae7d5dSecunia Security Advisory - Andrea Micalizzi has discovered a vulnerability in McAfee Virtual Technician MVTControl ActiveX Control, which can be exploited by malicious people to compromise a user's system.
06c8fb84243af9fec0d2d61b36a0ff99d4226c6244c406f6966f38cf9df01b38McAfee Virtual Technician version 6.3.0.1911 suffers from a MVT.MVTControl.6300 GetObject() active-x control security bypass remote code execution vulnerability.
5a476c9c527f6a272b92f731c3096dfabcad22d8aab8943fa6a023e57ce5a5bdThis Metasploit module exploits an uninitialized variable vulnerability in the Annotation Objects ActiveX component. The activeX component loads into memory without opting into ALSR so this module exploits the vulnerability against windows Vista and Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX points to part of the ROP chain in a heap chunk and the calculated call will hit the pivot in a separate heap chunk. This will take some time in the users browser.
d1cef6f9fc00e9c87f66184e541a23b487e22d0bf005602e5a91c795be80bb5eThis Metasploit module exploits a buffer overflow vulnerability in the Isig.isigCtl.1 ActiveX installed with IBM Tivoli Provisioning Manager Express for Software Distribution 4.1.1. The vulnerability is found in the "RunAndUploadFile" method where the "OtherFields" parameter with user controlled data is used to build a "Content-Disposition" header and attach contents in a insecure way which allows to overflow a buffer in the stack.
cc74382e2035afca25b92161a9b63460e74741bb7ded9bd96d66e5da0d29eb86This Metasploit module exploits a vulnerability found in TRENDnet SecurView Internet Camera's ActiveX control. By supplying a long string of data as the sFilter argument of the OpenFileDlg() function, it is possible to trigger a buffer overflow condition due to WideCharToMultiByte (which converts unicode back to) overwriting the stack more than it should, which results arbitrary code execution under the context of the user.
dbd0c9ab83279260de0fbf18041f491375843cf365e6a1c3874208c117b871ef
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed