AMX VNC ActiveX Control Vulnerability?
pdabrowski
Posts: 184
Hi all, I haven't been here for a while but I have just seen this one come through in my security feed, it's a few days old however I have seen an increase of VNC port traffic that may be of concern for users.
From reading the vulnerability details in the full discolsure lists, the affected products ARE NOT AMX equipment but an ActiveX control used to allow VNC access via good 'ol Internet Explorer - this would not affect users who control panels via native VNC viewer applications (RealVNC, UltraVNC etc...)
With this sort of vulnerability, the attacker first needs to know that the ActiveX control is available for exploit (normally a good chance if they are making a targeted attack on, say a University), and then need to either find a way in (past firewalls) or socially engineer a user to click on a link to access a specially crafted webpage to launch the exploit attack. Now, that all seems quite lot to pull off and make work (and yes, knowing that the ActiveX control is available is the big question...) but there is a real chance that this might be one of a series of exploits used to try and exploit machines in one go .. eg try exploit 1, if not try exploit 2 ... and so on....
The mitigation of this seems to be setting the killbit for the CLSID of the affected ActiveX control. http://support.microsoft.com/kb/240797
Full Disclosure Lists Referenced:
http://www.securityfocus.com/bid/24703/info
http://secunia.com/advisories/25891/
http://www.frsirt.com/english/advisories/2007/2387
(also a milw0rm exploit available.. I won't publish that one here).
Att AMX: As this is now on the full disclosure lists, it's public and anyone has access to this info. So for the benefit of techs who deal with the product daily, please don't try and censor this post. I am only posting this now because I could not find any info on the main website or this forum.
From reading the vulnerability details in the full discolsure lists, the affected products ARE NOT AMX equipment but an ActiveX control used to allow VNC access via good 'ol Internet Explorer - this would not affect users who control panels via native VNC viewer applications (RealVNC, UltraVNC etc...)
With this sort of vulnerability, the attacker first needs to know that the ActiveX control is available for exploit (normally a good chance if they are making a targeted attack on, say a University), and then need to either find a way in (past firewalls) or socially engineer a user to click on a link to access a specially crafted webpage to launch the exploit attack. Now, that all seems quite lot to pull off and make work (and yes, knowing that the ActiveX control is available is the big question...) but there is a real chance that this might be one of a series of exploits used to try and exploit machines in one go .. eg try exploit 1, if not try exploit 2 ... and so on....
The mitigation of this seems to be setting the killbit for the CLSID of the affected ActiveX control. http://support.microsoft.com/kb/240797
Full Disclosure Lists Referenced:
http://www.securityfocus.com/bid/24703/info
http://secunia.com/advisories/25891/
http://www.frsirt.com/english/advisories/2007/2387
(also a milw0rm exploit available.. I won't publish that one here).
Att AMX: As this is now on the full disclosure lists, it's public and anyone has access to this info. So for the benefit of techs who deal with the product daily, please don't try and censor this post. I am only posting this now because I could not find any info on the main website or this forum.
0