CVE-2008-2551
published 2008-06-04CVE-2008-2551: The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.94%
98.7th percentile
The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icona | instant_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target user-agent filtering: the exploit only proceeds against Internet Explorer (MSIE) or requests with 'File Session' in the User-Agent, which is used by the ActiveX control when fetching the payload EXE. Monitor for HTTP requests carrying 'File Session' as the User-Agent originating from ActiveX controls. ↗
- →The payload is served as 'application/octet-stream' from the same web server URI that hosts the exploit HTML. Correlate HTTP responses with Content-Type: application/octet-stream following an ActiveX exploit page request from the same client. ↗
- →The Metasploit module uses 'migrate -f' as an InitialAutoRunScript, meaning the payload process will attempt to migrate into another process immediately after execution. Monitor for unexpected process injection or migration activity following execution of a downloaded binary. ↗
- ·The vulnerable component is version-specific: only Icona SpA C6 Messenger 1.0.0.1 is confirmed affected. The DownloaderActiveX.ocx ActiveX control must be registered on the victim system for exploitation to succeed. ↗
- ·Exploitation requires the victim to be using Internet Explorer, as the ActiveX control is only instantiated in IE-based browsers. Non-IE browsers are explicitly rejected by the exploit module. ↗
- ·The downloaded and executed payload runs in the context of the currently logged-on user, meaning privilege level depends on the victim's account. No privilege escalation is built into the exploit. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw37-7g3c-9hc9: The DownloaderActiveX Control (DownloaderActiveX
ghsa_unreviewed·2022-05-01
CVE-2008-2551 [HIGH] GHSA-cw37-7g3c-9hc9: The DownloaderActiveX Control (DownloaderActiveX
The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."
VulnCheck
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download Vulnerability
vulncheck·2008·CVSS 9.3
CVE-2008-2551 [CRITICAL] Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download Vulnerability
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download Vulnerability
The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."
Affected: icona instant_messenger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dl.acm.org/doi/pdf/10.1145/3465481.3465758
No detection rules found.
Exploit-DB
Icona SpA C6 Messenger - DownloaderActiveX Control Arbitrary File Download and Execute (Metasploit)
exploitdb·2012-02-02
CVE-2008-2551 Icona SpA C6 Messenger - DownloaderActiveX Control Arbitrary File Download and Execute (Metasploit)
Icona SpA C6 Messenger - DownloaderActiveX Control Arbitrary File Download and Execute (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',
'Description' => %q{
This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The
vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The
insecure control can be abused to download and execute arbitrary files in the context of
the currently logged-on user.
},
'License' =>
Exploit-DB
C6 Messenger - ActiveX Remote Download and Execute
exploitdb·2008-06-03
CVE-2008-2551 C6 Messenger - ActiveX Remote Download and Execute
C6 Messenger - ActiveX Remote Download and Execute
---
# milw0rm.com [2008-06-03]
Metasploit
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
metasploit
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute
This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The insecure control can be abused to download and execute arbitrary files in the context of the currently logged-on user.
No writeups or analysis indexed.
http://secunia.com/advisories/30512http://securityreason.com/securityalert/3926http://www.securityfocus.com/archive/1/493019/100/0/threadedhttp://www.securityfocus.com/bid/29519http://www.vupen.com/english/advisories/2008/1733/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42825https://www.exploit-db.com/exploits/5732http://secunia.com/advisories/30512http://securityreason.com/securityalert/3926http://www.securityfocus.com/archive/1/493019/100/0/threadedhttp://www.securityfocus.com/bid/29519http://www.vupen.com/english/advisories/2008/1733/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42825https://www.exploit-db.com/exploits/5732
2008-06-04
Published
Exploited in the wild