The local buffer "SubKey" using strcat() function without any boundaryĬhecking. "ProductName" parameter is passed into the szProductName, copied into Which is used to create the uninstall registry key. The first argument (szProductName) of this function is the product name 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\',0
data:04F1EA10 char szUninstallRegistryKey text:04F157C5 push offset szUninstallRegistryKey *szProductName,LPCSTR lpValueName,LPBYTE lpData,LPDWORD lpcbData) Happens in a function of JuniperSetupDLL.dll. ProductName parameter as follows, the stack based buffer overflow The vulnerability exists in JuniperSetupDLL.dll which is loaded from Handling a parameter of ActiveX control that will allow a remoteĪttacker to reliably overwrite the stack with arbitrary data and execute There is an exploitable buffer overflow in the JuniperSetup.ocx ActiveXĬontrol is automatically loaded throgh the web interface of Juniper Juniper Networks SSL-VPN Client Buffer OverflowĮEye Digital Security has discovered a critical vulnerability in Juniper Subject: Juniper Networks SSL-VPN Client Buffer Overflow
Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP) The vendor has issued the following fixed versions:
Yuji Ukai from eEye Digital Security discovered this vulnerability.Ī remote user can execute arbitrary code on the target system. The vendor was notified on February 27, 2006. The 'JuniperSetup.ocx' ActiveX control contains a buffer overflow in 'JuniperSetupDLL.dll' in the processing of the 'ProductName' parameter.Ī remote user can create specially crafted HTML that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code on the target user's system. A remote user can cause arbitrary code to be executed on the target user's system. Impact: Execution of arbitrary code via network, User access via networkĪ vulnerability was reported in the Juniper NetScreen Instant Virtual Extranet (IVE) client. Juniper NetScreen Instant Virtual Extranet Buffer Overflow in 'JuniperSetup.ocx' ActiveX Control Lets Remote Users Execute Arbitrary CodeĬVE Reference: CVE-2006-2086 (Links to External Site) Pulse Connect Secure (formerly Juniper Pulse Secure) Home | View Topics | Search | Contact Us | MST during uninstallation phase (synchronous, ignoring exit code).Juniper NetScreen Instant Virtual Extranet Buffer Overflow in 'JuniperSetup.ocx' ActiveX Control Lets Remote Users Execute Arbitrary Code - SecurityTracker Such script (I mean compiled one) you can place as CA executed from installation in Installation Sequence, Deferred Execution Installation Script in. Pathname=%UNINSTALLER%\string_*.properties Pathname=%UNINSTALLER%\JuniperSetupClientCtrlUninstaller.exe
Text=Script uninstalls Juniper Active X control WSE script which manages removing all garbage left: “c:\windows\downloaded program files\JuniperSetupClientUninstaller.exe†/SĮ.g. Silent uninstallation can be managed via command line:
Please advice how to make this a silent uninstall. I have tried to use several switches to make it silent but nothing seems to work. If I run the uninstall string, it removes the application but it is not silent. This string points to a exe in Downloaded Program Files, but in that folder i cannot find any such exe. The un-install string for both the application is differnt and is present in the registry, the Juniper Network client has a msi as uninstall string so it is getting uninstalled silently, but the uninstall string for ActiveX component is: " C:\WINDOWS\Downloaded Program Files\JuniperSetupClientCtrlUninstaller.exe". If I try to uninstall the application via the endor msi, it only removes the Juniper Network Client and not ActiveX component. Problem comes when I try to un-install this application. These two programs create seperate entries in registry and Add Remove Program. During installation the vendor msi installs two components, one is Juniper Network in the Program files and other is 'Juniper Network Client ActiveX component' in 'Downloaded Program Files'. It is a vendor msi so just mst with /qn is doing the job. I am doing a silent installation of Juniper Network v 2.