cbcvebase.
CVE-2006-4868
published 2006-09-19

CVE-2006-4868: Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.15%
99.1th percentile
Stack-based buffer overflow in the Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0 on Windows XP SP2, and possibly other versions, allows remote attackers to execute arbitrary code via a Vector Markup Language (VML) file with a long fill parameter within a rect tag.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftoutlook

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit delivers a VML file with a long fill parameter inside a rect (or other VML shape) tag to overflow vgx.dll; look for abnormally large fill= attribute values in VML markup within HTML responses.
  • Exploit HTML pages reference the VML behavior namespace binding 'url(#VMLRender)' or 'url(#default#VML)' in CSS; this pattern in HTTP responses is a strong indicator of CVE-2006-4868 exploitation attempts.
  • Metasploit module uses a randomized VML element (rect, roundrect, line, polyline, oval, image, arc, curve) with a fill method overflow buffer composed of repeated Unicode escape sequences (&#xXXXX;) up to 65535 characters; detect oversized fill attributes in VML elements.
  • The exploit payload file may be delivered as a Unicode (UTF-16 LE) HTML file starting with the BOM bytes 0xFF 0xFE; network detection should inspect for this magic number in HTTP responses serving HTML content.
  • The Metasploit module targets User-Agent strings matching 'Windows 5.[123]' to select a larger overflow buffer (65535); anomalous buffer sizes correlated with specific UA strings can aid detection.
  • The return address used in the heap-spray exploit is 0x0c0c0c0c (classic heap spray target); memory access violations or EIP values at 0x0c0c0c0c in iexplore.exe crash dumps indicate exploitation.
  • ·The Metasploit module randomizes the XML namespace prefix, JavaScript variable names, and whitespace in the exploit HTML, making static string-based signatures less reliable; behavioral or heuristic detection is preferred.
  • ·The overflow buffer length varies by target OS: 1024 Unicode chars for most targets, 65535 for Windows 5.x (XP/2003); signatures must account for both sizes.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.