Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
BID:39478
Info
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
| Bugtraq ID: | 39478 |
| Class: | Input Validation Error |
| CVE: |
CVE-2010-0589 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 14 2010 12:00AM |
| Updated: | Mar 19 2015 08:23AM |
| Credit: | Anonymous researcher working with TippingPoint's Zero Day Initiative. |
| Vulnerable: |
Cisco Secure Desktop 3.4.2048 Cisco Secure Desktop 3.1.1 Cisco Secure Desktop 3.2 Cisco Secure Desktop 3.1.1.45 Cisco Secure Desktop 3.1.1.33 Cisco Secure Desktop 3.1 |
| Not Vulnerable: |
Cisco Secure Desktop 3.5.1077 Cisco Secure Desktop 3.5.841 |
Discussion
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
A Cisco Secure Desktop ActiveX control is prone to a vulnerability that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.
Attackers may exploit this issue to put malicious files in arbitrary locations on a victim's computer. Successful exploits will allow attackers to execute arbitrary code within the context of the currently logged-in user.
This issue is being tracked by Cisco Bug ID CSCta25876.
A Cisco Secure Desktop ActiveX control is prone to a vulnerability that can cause malicious files to be downloaded and saved to arbitrary locations on an affected computer.
Attackers may exploit this issue to put malicious files in arbitrary locations on a victim's computer. Successful exploits will allow attackers to execute arbitrary code within the context of the currently logged-in user.
This issue is being tracked by Cisco Bug ID CSCta25876.
Exploit / POC
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage.
An attacker can exploit this issue by enticing an unsuspecting victim to view a malicious webpage.
Solution / Fix
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
Solution:
The vendor has released a bulletin and updates to address this issue. Please see the referenced advisory for more information.
Solution:
The vendor has released a bulletin and updates to address this issue. Please see the referenced advisory for more information.
References
Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability
References:
References:
- Cisco Secure Desktop Homepage (Cisco)
- Cisco Security Advisory: Cisco Secure Desktop ActiveX Control Code Execution Vul (Cisco)
- Microsoft Knowledge Base Article 240797 (Microsoft)
- ZDI-10-072: Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Exe (ZDI Disclosures
- ZDI-10-072 Cisco Secure Desktop CSDWebInstaller ActiveX Control Remote Code Exec (Zero Day Initiative)