cbcvebase.
CVE-2006-3961
published 2006-08-01

CVE-2006-3961: Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security…

PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.82%
98.2th percentile
Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean allows remote user-assisted attackers to execute arbitrary commands via long string parameters, which are later used in vsprintf.

Affected

25 ranges
VendorProductVersion rangeFixed in
mcafeeantispyware
mcafeeantispyware
mcafeeinternet_security_suite
mcafeeinternet_security_suite
mcafeeinternet_security_suite
mcafeepersonal_firewall_plus
mcafeepersonal_firewall_plus
mcafeepersonal_firewall_plus
mcafeeprivacy_service
mcafeeprivacy_service
mcafeeprivacy_service
mcafeequickclean
mcafeequickclean
mcafeequickclean
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeespamkiller
mcafeespamkiller
mcafeespamkiller
mcafeevirusscan
mcafeevirusscan
mcafeevirusscan
mcafeewireless_home_network_security

Detection & IOCsextracted from sources · hover to see the quote

filenamemcsubmgr.dll
commandIsAppExpired
  • Monitor for ActiveX instantiation of the McSubMgr control (mcsubmgr.dll) in browser processes, particularly calls to the COM-exposed method IsAppExpired with abnormally large string arguments (>2972 bytes).
  • The exploit targets Windows XP SP0/SP1 using a JMP ESP gadget at 0x7605122f in shell32.dll; alert on EIP/return address control pointing to this address in browser exploit context.
  • ·The Metasploit module only supports Windows XP SP0/SP1 as a target; Windows XP SP2 has a commented-out alternative RET address (comctl32.dll 0x773f346a) but is not enabled, meaning exploitation against SP2 requires a different gadget.
  • ·The vulnerable ActiveX control is present in multiple McAfee products under Security Center 6.0.23, including Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean — scope detection broadly across all these products.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.