CVE-2006-5198
published 2006-11-14CVE-2006-5198: The WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 before build 7245 allows remote attackers to…
PriorityP343medium4CVSS 2.0
AVNACHAuNCPIPAN
EXPLOIT
EPSS
60.20%
99.0th percentile
The WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 before build 7245 allows remote attackers to execute arbitrary code via unspecified "unsafe methods."
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| winzip | winzip | <= 10.0 | — |
| winzip | winzip | — | — |
| winzip | winzip | — | — |
| winzip | winzip | — | — |
| winzip | winzip | — | — |
| winzip | winzip | — | — |
| winzip | winzip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX control by its CLSID {A09AE68F-B14D-43ED-B713-BA413F034904} in web content or registry ↗
- →Monitor for calls to the CreateNewFolderFromName method on the WZFILEVIEW.FileViewCtrl.61 ActiveX control, especially with long string arguments, as this is the exploited method ↗
- →The exploit uses a heap-spray return address of 0x0c0c0c0c targeting Windows XP SP0-SP2 with IE 6/7; look for this value in memory or network payloads ↗
- →The control is marked safe for scripting and safe for initialization, meaning it can be silently instantiated from a web page; inspect HTML/JS for object tags referencing the CLSID or ProgID WZFILEVIEW.FileViewCtrl.61 ↗
- ·The Metasploit module targets only Windows XP SP0-SP2 with IE 6.0 SP0-SP2 or IE 7; exploitation on other platforms is not confirmed by this module ↗
- ·Affected versions are WinZip 10.0 up to and including Build 6667; builds beyond 6667 may not be vulnerable to CVE-2006-5198 (note: CVE-2006-6884 is a distinct but related vulnerability in the same control) ↗
- ·CVE-2006-6884 is a different vulnerability in the same ActiveX control (CreateNewFolderFromName) and should not be confused with CVE-2006-5198 ↗
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:N
vulncheck4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jj96-m2qh-64mp: The WZFILEVIEW
ghsa_unreviewed·2022-05-01
CVE-2006-5198 [MEDIUM] GHSA-jj96-m2qh-64mp: The WZFILEVIEW
The WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 before build 7245 allows remote attackers to execute arbitrary code via unspecified "unsafe methods."
GHSA
GHSA-h93x-p3vc-8fx7: Stack-based buffer overflow in the Sky Software FileView ActiveX control, as used in WinZip 10 before build 7245 and in certain other applications, al
ghsa_unreviewed·2022-05-01·CVSS 4.0
CVE-2006-3890 [MEDIUM] GHSA-h93x-p3vc-8fx7: Stack-based buffer overflow in the Sky Software FileView ActiveX control, as used in WinZip 10 before build 7245 and in certain other applications, al
Stack-based buffer overflow in the Sky Software FileView ActiveX control, as used in WinZip 10 before build 7245 and in certain other applications, allows remote attackers to execute arbitrary code via a long FilePattern attribute in a WZFILEVIEW object, a different vulnerability than CVE-2006-5198.
GHSA
GHSA-74v5-jm2f-x8j9: Buffer overflow in the WZFILEVIEW
ghsa_unreviewed·2022-05-01·CVSS 4.0
CVE-2006-6884 [MEDIUM] CWE-119 GHSA-74v5-jm2f-x8j9: Buffer overflow in the WZFILEVIEW
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.
VulnCheck
winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2006·CVSS 4.0
CVE-2006-6884 [MEDIUM] winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.
Affected: winzip winzip
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20090323012515/http://securitylabs.websense.com/content/Alerts/3326.aspx; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-5198 WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)
WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)
---
##
# $Id: winzip_fileview.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => 'CreateNewFolderFromName',
:classid => '{A09AE68F-B14D-43ED-B713-BA413F034904}',
:rank => NormalRanking # reliable memory corruption
})
def initialize(info = {})
super(update_info(info,
'Name' => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer
Metasploit
WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
metasploit
WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow
The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a remote attacker to execute arbitrary code on the system. The control contains several unsafe methods and is marked safe for scripting and safe for initialization. A remote attacker could exploit this vulnerability to execute arbitrary code on the victim system. WinZip 10.0 <= Build 6667 are vulnerable.
No writeups or analysis indexed.
http://isc.sans.org/diary.php?storyid=1861http://secunia.com/advisories/22891http://securitytracker.com/id?1017226http://www.kb.cert.org/vuls/id/512804http://www.securityfocus.com/archive/1/451589/100/0/threadedhttp://www.securityfocus.com/bid/21060http://www.vupen.com/english/advisories/2006/4509http://www.winzip.com/wz7245.htmhttp://www.zerodayinitiative.com/advisories/ZDI-06-040.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-067http://isc.sans.org/diary.php?storyid=1861http://secunia.com/advisories/22891http://securitytracker.com/id?1017226http://www.kb.cert.org/vuls/id/512804http://www.securityfocus.com/archive/1/451589/100/0/threadedhttp://www.securityfocus.com/bid/21060http://www.vupen.com/english/advisories/2006/4509http://www.winzip.com/wz7245.htmhttp://www.zerodayinitiative.com/advisories/ZDI-06-040.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-067
2006-11-14
Published