Assurent VR - Microsoft Agent Crafted URL Stack Buffer Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Assurent VR - Microsoft Agent Crafted URL Stack Buffer Overflow
From: VR-Subscription-noreply@xxxxxxxxxxxx
Date: 11 Sep 2007 17:38:33 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Microsoft Agent Crafted URL Stack Buffer Overflow

Assurent ID: FSC20070911-11 


1. Affected Software

Microsoft Agent, version 2.0.0.3425 (bundled with Windows 2000 Service Pack 4)

Reference: http://www.microsoft.com/msagent/


2. Vulnerability Summary

The Microsoft Agent ActiveX control contains a buffer overflow vulnerability 
that allows remote attackers to inject and execute arbitrary code with the 
privileges of the currently logged in user.

The affected ActiveX control is registered as below:

  File: agentdpv.dll
  ProgID: Agent.Control
  CLASSID: D45FD31B-5C6E-11D1-9EC1-00C04FD7081F


3. Vulnerability Analysis

The target user is enticed to view a malicious web page. The script in the web 
page calls a method of the affected ActiveX control with malicious arguments. A 
stack-based buffer will be overrun upon processing the malicious script.

Assurent has confirmed that code execution is possible. The code in such a case 
would execute within the security context of the currently logged in user.

In an attack case where code injection is not successful, the affected 
application will terminate abnormally.

Note that although this vulnerability is exploited through Internet Explorer, 
the affected application is the Microsoft Agent application.


4. Vulnerability Detection

Assurent has confirmed the vulnerability in Microsoft Agent shipped with 
Windows 2000 SP4. The confirmed vulnerable file version is 2.0.0.3425. Earlier 
versions may also be affected.


5. Workaround

Setting the kill bit for the vulnerable ActiveX control's CLSID will prevent 
this issue from being exploited via Internet Explorer. 


6. Vendor Response

Microsoft has released a bulletin addressing this vulnerability as part of the 
September 2007 update cycle.
Reference: http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx


7. Disclosure Timeline

  04/18/2007 Reported to vendor
  04/23/2007 Initial vendor response
  09/10/2007 Coordinated public disclosure

8. Credits

Vulnerability Research Team, Assurent Secure Technologies, a TELUS company


9. References

  CVE: CVE-2007-3040
  Vendor: MS07-051


10. About Assurent VRS

Assurent's Vulnerability Research Service (VRS) for security product vendors, 
and Threat Protection Programs (TPP) for MSPs and enterprise security teams, 
help to eliminate the significant costs incurred by security product vendors, 
MSPs, and enterprise security teams in responding to and managing critical new 
security vulnerabilities and other threats including worm & virus outbreaks and 
high-risk spyware. The VRS and TPP services are real-time feeds providing 
subscribers with detailed analysis of the top security vulnerabilities, focused 
on the specific needs of each group of customers. 

http://www.assurent.com/

Prev by Date: NuclearBB Alpha 2 Remote File Inclusion
Next by Date: [SECURITY] [DSA 1371-1] New phpwiki packages fix several vulnerabilities
Previous by thread: NuclearBB Alpha 2 Remote File Inclusion
Next by thread: [SECURITY] [DSA 1371-1] New phpwiki packages fix several vulnerabilities
Index(es):
- Date
- Thread