| VID |
28123 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows host has a XCP Uninstallation ActiveX control that is vulnerable to a code execution vulnerability. The CodeSupport.ocx ActiveX control, as used by Sony to uninstall the First4Internet XCP DRM software, has "safe for scripting" enabled, which allows a remote attacker to execute arbitrary code on the system. The vulnerability is caused due to the "CodeSupport.ocx" ActiveX control that is installed via Internet Explorer when the user un-installs the XCP DRM software by visiting the vendor's website. The ActiveX control is marked "safe for scripting" and supports several potentially dangerous methods like "RebootMachine", "InstallUpdate", and "IsAdministrator". This may be exploited to install arbitrary code on the user's system. Successful exploitation requires that the user visits a malicious website.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://hack.fi/~muzzy/sony-drm/
http://www.freedom-to-tinker.com/?p=927
http://www.frsirt.com/english/advisories/2005/2454
http://secunia.com/advisories/17610/
http://www.kb.cert.org/vuls/id/312073
* Platforms Affected:
First4Internet, CodeSupport ActiveX control
Microsoft Windows Any version |
| Recommendation |
Remove the ActiveX control from the affected system by the following steps:
1. Locate the file 'codesupport.ocx'.
2. Run the following DOS commands.
(assuming it's located in '%windir%downloaded program files')
regsvr32 /u '%windir%\downloaded program files\codesupport.ocx'
cmd /k del '%windir%\downloaded program files\codesupport.ocx' |
| Related URL |
CVE-2005-3650 (CVE) |
| Related URL |
15430 (SecurityFocus) |
| Related URL |
23063 (ISS) |
|
