Detections
Analytics

FLEXnet Connect Update Service ActiveX Control Multiple Code Execution Vulnerabilities

critical Nessus Plugin ID 27599

Synopsis

The remote Windows host has an ActiveX control that allows execution of arbitrary code.

Description

Macrovision FLEXnet Connect, formerly known as InstallShield Update Service, is installed on the remote host. It is a software management solution for internally-developed and third-party applications, and may have been installed as part of the FLEXnet Connect SDK, other InstallShield software, or by running FLEXnet Connect-enabled Windows software.

The version of the FLEXnet Connect client on the remote host includes an ActiveX control -- the InstallShield Update Service Agent -- that is marked as 'safe for scripting' and contains several methods that allow for downloading and launching arbitrary programs. If a remote attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to execute arbitrary code on the host subject to the user's privileges.

Additionally, it is reportedly affected by a buffer overflow that can be triggered by passing a long argument for 'ProductCode' to the 'DownloadAndExecute()' method.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 6.0.100.65101 or later of the FLEXnet Connect client.

See Also

https://www.securityfocus.com/archive/1/483062/30/0/threaded

https://seclists.org/fulldisclosure/2007/Dec/552

Plugin Details

Severity: Critical

ID: 27599

File Name: flexnet_connect_isusweb_activex.nasl

Version: 1.29

Type: local

Agent: windows

Family: Windows

Published: 11/1/2007

Updated: 9/30/2020

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2007-5660

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:macrovision:update_service, cpe:/a:macrovision:flexnet_connect, cpe:/a:macrovision:installshield_2008

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/30/2007

Exploitable With

CANVAS (CANVAS)

Metasploit (Macrovision InstallShield Update Service ActiveX Unsafe Method)

Reference Information

CVE: CVE-2007-5660, CVE-2007-6654

BID: 26280, 27013

CWE: 119