Garmin Communicator Plugin ActiveX Control Lets Remote Users Access the Target GPS Device
|
|
SecurityTracker Alert ID: 1022173
|
|
SecurityTracker URL: http://securitytracker.com/id?1022173
|
|
CVE Reference: CVE-2009-0194
(Links to External Site)
|
Date: May 7 2009
|
Impact: Disclosure of system information, Disclosure of user information, Modification of system information
|
Advisory: Secunia Research
|
Version(s): npGarmin.dll version 2.6.4.0
|
Description: A vulnerability was reported in Garmin Communicator Plugin. A remote user can bypass domain locking controls to access data from the target device.
A remote user can create specially crafted HTML that, when loaded by the target user, will invoke the GARMINAXCONTROL.GarminAxControl_t.1
ActiveX control (npGarmin.dll) and access potentially sensitive data on the target Garmin GPS device. Data can be viewed and deleted
and firmware updates can be installed.
The vendor was notified on March 19, 2009, without response.
The original advisory
is available at:
http://secunia.com/secunia_research/2009-16/
Dyon Balding of Secunia Research reported this vulnerability.
|
Impact: A remote user can create HTML that, when loaded by the target user, will read or delete data or install firmware updates on the target device.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www8.garmin.com/products/communicator/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 7 May 2009 07:34:53 -0400
Subject: Garmin Communicator Plug-In Domain Locking Security Bypass
|
http://secunia.com/secunia_research/2009-16/
CVE-2009-0194
|
|
