Lucene search
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.YAHOO_MSGR_YMAILATTACH_ACTIVEX_BUFFER_OVERFLOW.NASLHistoryDec 15, 2006 - 12:00 a.m.
Yahoo! Messenger YMMAPI.YMailAttach ActiveX (ymmapi.dll) Overflow
2006-12-1500:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
7
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.079 Low
EPSS
Percentile
94.3%
The remote host contains a version of the ‘YMailAttach’ ActiveX control included with Yahoo! Messenger.
The version of this ActiveX control on the remote host reportedly has an unspecified buffer overflow. If an attacker can trick a user on the affected host into visiting a specially crafted web page, he may be able to leverage this issue to execute arbitrary code on the host subject to the user’s privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(23870);
script_version("1.21");
script_cvs_date("Date: 2018/08/07 16:46:51");
script_cve_id("CVE-2006-6603");
script_bugtraq_id(21607);
script_name(english:"Yahoo! Messenger YMMAPI.YMailAttach ActiveX (ymmapi.dll) Overflow");
script_summary(english:"Checks version of YMailAttach ActiveX control");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by a
buffer vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host contains a version of the 'YMailAttach' ActiveX
control included with Yahoo! Messenger.
The version of this ActiveX control on the remote host reportedly has
an unspecified buffer overflow. If an attacker can trick a user on the
affected host into visiting a specially crafted web page, he may be
able to leverage this issue to execute arbitrary code on the host
subject to the user's privileges.");
# http://web.archive.org/web/20111127005539/http://messenger.yahoo.com/security/view/20061208
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8fb047d0");
script_set_attribute(attribute:"solution", value:"Update to the latest version of Yahoo! Messenger.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:yahoo:messenger");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("audit.inc");
# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name = kb_smb_name();
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(0);
}
# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(0);
}
# Check whether it's installed.
clsid = '{AA218328-0EA8-4D70-8972-E987A9190FF4}';
file = NULL;
key = "SOFTWARE\Classes\CLSID\" + clsid + "\InprocServer32";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
value = RegQueryValue(handle:key_h, item:NULL);
if (!isnull(value)) file = value[1];
RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(file)) {
NetUseDel();
exit(0);
}
# Determine the version from the control itself.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:file);
dll = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1", string:file);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
NetUseDel();
exit(0);
}
fh = CreateFile(
file:dll,
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
ver = GetFileVersion(handle:fh);
CloseFile(handle:fh);
}
# Check the version number.
if (!isnull(ver))
{
fix = split("2005.1.1.4", sep:'.', keep:FALSE);
for (i=0; i<4; i++)
fix[i] = int(fix[i]);
for (i=0; i<max_index(ver); i++)
if ((ver[i] < fix[i]))
{
version = string(ver[0], ".", ver[1], ".", ver[2], ".", ver[3]);
report = string(
"Version ", version, " of the control is installed as \n",
"\n",
" ", file, "\n"
);
security_hole(port:port, extra: report);
break;
}
else if (ver[i] > fix[i])
break;
}
# Clean up.
NetUseDel();
Related
cvelist
cvelist
CVE-2006-6603
2006-12-15 22:00:00
cve
cve
CVE-2006-6603
2006-12-15 22:28:00
cert
cert
Yahoo Messenger YMailAttach ActiveX control buffer overflow
2006-12-15 00:00:00
nvd
nvd
CVE-2006-6603
2006-12-15 22:28:00
checkpoint_advisories
checkpoint_advisories
Yahoo Messenger YMailAttach ActiveX Control Buffer Overflow (CVE-2006-6603)
2010-02-22 00:00:00
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.079 Low
EPSS
Percentile
94.3%
Related for YAHOO_MSGR_YMAILATTACH_ACTIVEX_BUFFER_OVERFLOW.NASL