Follow:

Exploit:Win/ActiveX.Fpole.RCE!CVE-2006-4704

Severity rating
Critical

Class/Type
Exploit

Discovered date
2006-12-12T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
No

Signature detection
Medium



On this page




Description

A remote code execution vulnerability exists in the WMI Object Broker control that the WMI Wizard uses in Visual Studio 2005.An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page.



Impact

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.



Technical details (analysis)

WMI Object Broker is an ActiveX control that the WMI Wizard uses in Visual Studio 2005. When a user invokes the WMI Wizard feature of Visual Studio 2005, the wizard internally uses WMI Object Broker to instantiate other controls. These ActiveX controls Fpole.ocx and Foxtlib.ocx were never intended to run in IE. They allow arbitrary invocation of COM objects.



Affected software

Visual Studio 2005 Standard Edition
Visual Studio 2005 Professional Edition
Visual Studio 2005 Team Suite
Visual Studio 2005 Team Edition for Developers
Visual Studio 2005 Team Edition for Architects
Visual Studio 2005 Team Edition for Testers



Non-affected software

Visual Basic 2005 Express Edition
Visual C++ 2005 Express Edition
Visual C# Express Edition
Visual J# Express Edition
Visual Web Developer Express Edition
Visual Studio 2005 Tools For Office
Visual Studio 2005 Team Explorer
Visual Studio 2005 Team Foundation Dual Server
Visual Studio 2005 Team Foundation Single Server
Visual Studio 2005 Team Foundation Proxy
Visual Studio 2005 Team Foundation Build
Visual Studio 2005 Premier Partner Edition



References




Solutions




NIS signature

Name: Exploit:Win/ActiveX.Fpole.RCE!CVE-2006-4704
Release Date: 2006-12-12T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

Disable attempts to instantiate the WMI Object Broker control.
Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX Controls in the Internet and Local intranet security zone.
Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones.