CVE-2008-4388
published 2009-01-20CVE-2008-4388: The LaunchObj ActiveX control before 5.2.2.865 in launcher.dll in Symantec AppStream Client 5.2.x before 5.2.2 SP3 MP1 does not properly validate downloaded…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.72%
98.4th percentile
The LaunchObj ActiveX control before 5.2.2.865 in launcher.dll in Symantec AppStream Client 5.2.x before 5.2.2 SP3 MP1 does not properly validate downloaded files, which allows remote attackers to execute arbitrary code via the installAppMgr method and unspecified other methods.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | appstream_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTML pages invoking the LaunchObj ActiveX installAppMgr() method via OBJECT tags with the known CLSID c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61, which is the exploit delivery mechanism for CVE-2008-4388. ↗
- →Monitor for JavaScript calls to installAppMgr() in browser context, particularly passing a URL ending in a .exe path, as used by the Metasploit exploit module to download and execute arbitrary payloads. ↗
- →Flag HTTP responses with Content-Type 'application/octet-stream' served from the same host delivering the exploit HTML page, as the Metasploit module serves the EXE payload with this content type. ↗
- →Detect loading.php requests with the query parameter spl=ActiveX_pack, which is the payload staging URL pattern observed in the wild exploit kit delivering CVE-2008-4388. ↗
- →Presence of launcher.dll (LaunchObj ActiveX control) version 5.1.0.82 or earlier on a Windows host indicates a vulnerable Symantec AppStream Client installation. ↗
- ·The CLSID AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA appearing in the exploit kit HTML is a placeholder/obfuscated value and should not be used as a reliable detection indicator on its own. ↗
- ·The Metasploit module uses rand_text_alpha to randomize the JavaScript variable name and the EXE filename on each request, so filename-based detection of the payload will not be reliable. ↗
- ·The exploit targets Symantec AppStream Client 5.x specifically; the vulnerability was fixed in version 5.2.2 SP3 MP1, so hosts running patched versions are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec AppStream LaunchObj - ActiveX Control Arbitrary File Download and Execute (Metasploit)
exploitdb·2010-11-24
CVE-2008-4388 Symantec AppStream LaunchObj - ActiveX Control Arbitrary File Download and Execute (Metasploit)
Symantec AppStream LaunchObj - ActiveX Control Arbitrary File Download and Execute (Metasploit)
---
##
# $Id: symantec_appstream_unsafe.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute',
'Description' => %q{
This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability
is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the "installAppMgr()"
method. The insecure method can be exp
Metasploit
Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute
metasploit
Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute
Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute
This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the "installAppMgr()" method. The insecure method can be exploited to download and execute arbitrary files in the context of the currently logged-on user.
http://securitytracker.com/id?1021609http://www.kb.cert.org/vuls/id/194505http://www.securityfocus.com/bid/33247http://www.symantec.com/avcenter/security/Content/2009.01.15.htmlhttp://securitytracker.com/id?1021609http://www.kb.cert.org/vuls/id/194505http://www.securityfocus.com/bid/33247http://www.symantec.com/avcenter/security/Content/2009.01.15.html
2009-01-20
Published