CVE-2007-2923

Vulnerability

The LocalExec ActiveX control (LocalExec.ocx) in Novell exteNd Director 4.1 and Portal Services exposes a launch() method that does not restrict access to dangerous functionality. This allows an attacker to invoke arbitrary commands on a system using the vulnerable control. The control is present in exteNd Director 4.1, which is an unsupported product [1].

Exploitation

An attacker can exploit this vulnerability by convincing a user to view a specially crafted HTML document, such as a malicious web page or an HTML email message. The attack requires no prior authentication or special network position; simply rendering the HTML in Internet Explorer with ActiveX enabled is sufficient. The attacker calls the launch() method via script, passing an arbitrary command string to execute on the victim's system [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the logged-in user. This can lead to complete compromise of the affected system, including installation of malware, data exfiltration, or further lateral movement within the network. The scope is limited to the user's privilege level [1].

Mitigation

Novell released security update 3169416 to address this issue. For systems that cannot be updated, a workaround is to disable the LocalExec ActiveX control by setting the kill bit in Internet Explorer for the CLSID {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78}. Additionally, disabling ActiveX controls altogether or using an up-to-date browser that does not support ActiveX mitigates the risk. Note that exteNd Director 4.1 is no longer supported by Novell [1].