Info

Disclosure

Nov 14, 2009

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Wings3D player contains a flaw that may allow an attacker to execute arbitrary executable files. The issue is triggered when by the failure of the SceneURL() method to validate input, which can be the path to an arbitrary executable file, which will be executed by the plugin.

Classification

Location: Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Solution Unknown
Exploit: Exploit Public
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

AwingSoft

Wings3D Player

3.5.0.9

References

CVE ID: 2009-4850 (see also: NVD)
Secunia Advisory ID: 35764
ISS X-Force ID: 58573
Metasploit ID: 60049
Other Advisory URL: http://www.metasploit.com/modules/exploit/windows/browser/awingsoft_winds3d_sceneurl
http://www.metasploit.com/redmine/projects/framework/repository/revisions/7518/entry/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/60049