Thursday, December 23, 2010

0day Exploit for WMI Administrative Tools

Microsoft WMI Administrative Tools is prone to a remote code-execution vulnerability that affects the WMI Object Viewer ('WBEMSingleView.ocx') ActiveX control.

The vulnerabilities are caused due to the "AddContextRef()" and "ReleaseContext()" methods in the WMI Object Viewer Control (WBEM.SingleViewCtrl.1) using a value passed in the "lCtxHandle" parameter as an object pointer.

An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. Successful exploits will allow the attacker to execute arbitrary code within the context of the application (typically Internet Explorer) that uses the ActiveX control.

The vulnerabilities are confirmed in version 1.1 (WBEMSingleView.ocx 1.50.1131.0).

Workaround:
Set the kill-bit for the affected ActiveX control.


PoC Exploit is available at:


Reference: