CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
94.4%
The Windows remote host contains the Download Manager ActiveX control from Akamai, which helps users download content.
The version of this ActiveX control on the remote host reportedly allows downloading and automatic execution of arbitrary code. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this method could be leveraged to execute arbitrary code on the affected system subject to the userβs privileges.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(32082);
script_version("1.20");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2007-6339");
script_bugtraq_id(28993);
script_xref(name:"SECUNIA", value:"30037");
script_name(english:"Akamai Download Manager ActiveX Control < 2.2.3.5 Remote Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that allows remote code
execution.");
script_set_attribute(attribute:"description", value:
"The Windows remote host contains the Download Manager ActiveX control
from Akamai, which helps users download content.
The version of this ActiveX control on the remote host reportedly
allows downloading and automatic execution of arbitrary code. If an
attacker can trick a user on the affected host into visiting a
specially crafted web page, this method could be leveraged to execute
arbitrary code on the affected system subject to the user's
privileges.");
# https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=695
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f59bfc9");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/May/1");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Apr/816");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.2.3.5 or later of the control.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_cwe_id(94);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/01");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
# Locate the file used by the control.
if (activex_init() != ACX_OK)
exit(1, "ActiveX initialization failed.");
clsids = make_list("{FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}",
"{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}");
info = NULL;
foreach clsid (clsids)
{
file = activex_get_filename(clsid:clsid);
if (file)
{
# Check its version.
ver = activex_get_fileversion(clsid:clsid);
# Fixed version of DownloadManagerV2.ocx == 2.2.3.5
if (ver && activex_check_fileversion(clsid:clsid, fix:"2.2.3.5") == TRUE)
{
if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
{
info += ' - ' + clsid + '\n' +
' ' + file + ', ' + ver + '\n';
if (!thorough_tests) break;
}
}
}
}
activex_end();
if (info)
{
if (report_verbosity > 0)
{
if (report_paranoia > 1)
{
report = string(
"\n",
"Nessus found the following affected control(s) installed :\n",
"\n",
info,
"\n",
"Note that Nessus did not check whether the kill bit was set for\n",
"the control(s) because of the Report Paranoia setting in effect\n",
"when this scan was run.\n"
);
}
else
{
report = string(
"\n",
"Nessus found the following affected control(s) installed :\n",
"\n",
info,
"\n",
"Moreover, the kill bit was not set for the control(s) so they\n",
"are accessible via Internet Explorer.\n"
);
}
security_hole(port:kb_smb_transport(), extra:report);
}
else security_hole(kb_smb_transport());
}