| VID |
28125 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows host has a SunnComm AxWebRemoveCtrl ActiveX control that is vulnerable to a code execution vulnerability. The AxWebRemoveCtrl.ocx ActiveX control, as used by Sony to uninstall the SunnComm XCP DRM software, has "safe for scripting" enabled, which allows a remote attacker to execute arbitrary code on the system. The vulnerability is caused due to the "AxWebRemoveCtrl.ocx" ActiveX control that is installed via Internet Explorer when the user un-installs the XCP DRM software by visiting the vendor's website. The ActiveX control is marked "safe for scripting" and supports several potentially dangerous methods like "RebootMachine", "InstallUpdate", and "IsAdministrator". This may be exploited to install arbitrary code on the user's system. Successful exploitation requires that the user visits a malicious website.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.freedom-to-tinker.com/?p=931
http://www.sunncomm.com/support/faq/
http://hack.fi/~muzzy/sony-drm/
http://www.frsirt.com/english/advisories/2005/2493
http://www.osvdb.org/20950
http://secunia.com/advisories/17639
http://support.microsoft.com/kb/240797
* Platforms Affected:
SunnComm, AxWebRemoveCtrl ActiveX control
Microsoft Windows Any version |
| Recommendation |
Remove the ActiveX control from the affected system by the following steps:
1. Locate the file 'AxWebRemoveCtrl.ocx'.
2. Run the following DOS commands.
(assuming it's located in '%windir%downloaded program files')
regsvr32 /u '%windir%\downloaded program files\AxWebRemoveCtrl.ocx'
cmd /k del '%windir%\downloaded program files\AxWebRemoveCtrl.ocx' |
| Related URL |
CVE-2005-3693 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
23164 (ISS) |
|
