#VU6167 Unsafe ActiveX method in UUSee and UUSee UUUpgrade ActiveX control - CVE-2008-7168

Cybersecurity Help s.r.o.

Published: 2017-03-24

Vulnerability identifier: #VU6167

Vulnerability risk: Critical

CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2008-7168

CWE-ID: CWE-618

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
UUSee
Client/Desktop applications / Multimedia software
UUSee UUUpgrade ActiveX control
Client/Desktop applications / Plugins for browsers, ActiveX components

Vendor: UUSEE

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of arguments passed to the "Update()" method in UUUpgrade.ocx ActiveX control. A remote attacker can trick the victim to visit a specially crafted website and upload malicious file into arbitrary location on victim's computer.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: this vulnerability was being actively exploited in the wild.

Mitigation
Install the latest version from vendor's website.

Vulnerable software versions

UUSee: 2008

UUSee UUUpgrade ActiveX control: 3.0.2.12

External links
https://www.exploit-db.com/exploits/31980/
https://www.securityfocus.com/bid/29963/info

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Remote code execution in UUSee UUUpgrade.ocx ActiveX control