Vulnerability Note VU#31994

MS ActiveMovieControl Object downloads arbitrary files

Original Release date: 16 Nov 2000 | Last revised: 11 Jan 2001

Overview

Description

This vulnerability is actually the same as the Cache Bypass issue described in VU#38950. This document is provided for people looking for information based on publicly available exploits using the Active Movie control. The flaw is not in the Active Movie control per se, but rather in shared code for handling the Internet cache and file downloads. See the Cache Bypass vulnerability note for more information about the full scope of this vulnerability.

The Cache Bypass vulnerability (as exploited using the Active Movie control) allows an attacker to download a specified file to the user's local hard drive. Since local files have greater privileges than files accessible via network filesystems, an attacker can use this additional privilege to execute arbitrary commands using a vulnerability such as the HHCtrl vulnerability (VU#25249). The attacker simply need to supply the file, and specify it's destination using the "Filename" parameter to the Active Movie control. Because the Active Movie control indicates that it is safe-for-scripting using the IObjectSafety interface, an attacker may be able to script this control and exploit the vulnerability when you visit a web page.

This control is implemented in the file msdxm.ocx and has a ClassID of {05589FA1-C356-11CE-BF01-00AA0055595A}.

Impact

Attacker can place arbitrary files on the local file system. This can lead to the ability to execute arbitrary commands on the victim's system, using a vulnerability such as the compiled help issue described in VU#25249.

Solution

Apply a Patch

This vulnerability is corrected by the Cache Bypass patch contained in Microsoft Security Bulletin MS00-046:

Disable "Script ActiveX controls marked safe for scripting"

In your Internet Explorer security settings, set this option to "disable" or "prompt". This workaround is not complete, since attackers could exploit the Cache Bypass vulnerability using other techniques.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected25 May 200015 Nov 2000
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Microsoft for clarifying the relationship between this issue and the Cache Bypass vulnerability.

This document was written by Cory F Cohen.

Other Information

  • CVE IDs: CAN-2000-0400
  • CERT Advisory: CA-2000-14
  • Date Public: 13 May 2000
  • Date First Published: 16 Nov 2000
  • Date Last Updated: 11 Jan 2001
  • Severity Metric: 21.69
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.