search menu icon-carat-right cmu-wordmark

CERT Coordination Center


MS ActiveMovieControl Object downloads arbitrary files

Vulnerability Note VU#31994

Original Release Date: 2000-11-16 | Last Revised: 2001-01-11

Overview

Description

This vulnerability is actually the same as the Cache Bypass issue described in VU#38950. This document is provided for people looking for information based on publicly available exploits using the Active Movie control. The flaw is not in the Active Movie control per se, but rather in shared code for handling the Internet cache and file downloads. See the Cache Bypass vulnerability note for more information about the full scope of this vulnerability.

The Cache Bypass vulnerability (as exploited using the Active Movie control) allows an attacker to download a specified file to the user's local hard drive. Since local files have greater privileges than files accessible via network filesystems, an attacker can use this additional privilege to execute arbitrary commands using a vulnerability such as the HHCtrl vulnerability (VU#25249). The attacker simply need to supply the file, and specify it's destination using the "Filename" parameter to the Active Movie control. Because the Active Movie control indicates that it is safe-for-scripting using the IObjectSafety interface, an attacker may be able to script this control and exploit the vulnerability when you visit a web page.

This control is implemented in the file msdxm.ocx and has a ClassID of {05589FA1-C356-11CE-BF01-00AA0055595A}.

Impact

Attacker can place arbitrary files on the local file system. This can lead to the ability to execute arbitrary commands on the victim's system, using a vulnerability such as the compiled help issue described in VU#25249.

Solution

Apply a Patch

This vulnerability is corrected by the Cache Bypass patch contained in Microsoft Security Bulletin MS00-046:

http://www.microsoft.com/technet/security/bulletin/MS00-046.asp

Disable "Script ActiveX controls marked safe for scripting"


In your Internet Explorer security settings, set this option to "disable" or "prompt". This workaround is not complete, since attackers could exploit the Cache Bypass vulnerability using other techniques.

Vendor Information

31994
Expand all

Microsoft

Notified:  May 25, 2000 Updated:  November 15, 2000

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft Security Bulletin MS00-046 says in several places that the attacker cannot "add, change, or delete files". Based on our understanding of the vulnerability, the attacker can add and possibly change (by overwriting) files.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Microsoft for clarifying the relationship between this issue and the Cache Bypass vulnerability.

This document was written by Cory F Cohen.

Other Information

CVE IDs: CVE-2000-0400
CERT Advisory: CA-2000-14
Severity Metric: 21.69
Date Public: 2000-05-13
Date First Published: 2000-11-16
Date Last Updated: 2001-01-11 18:25 UTC
Document Revision: 5

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.