cbcvebase.
CVE-2006-5820
published 2007-04-02

CVE-2006-5820: The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.43%
94.3th percentile
The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.

Affected

1 ranges
VendorProductVersion rangeFixed in
aolaol

Detection & IOCsextracted from sources · hover to see the quote

otherSb.SuperBuddy.1
  • Monitor for instantiation of the ActiveX control with ProgID 'Sb.SuperBuddy.1' in browser processes; unexpected instantiation outside of AOL client context is suspicious.
  • The exploit uses a heap-spray technique targeting return address 0x0c0c0c0c; detect heap spray patterns filling memory with this address value in browser processes.
  • The exploit calls the 'LinkSBIcons' method on the SuperBuddy ActiveX object with a manipulated function pointer value; monitor for JavaScript invoking this method with non-standard arguments.
  • Exploit delivery uses JavaScript unescape-based shellcode encoding and heap spray; look for large repeated '%u0c0c' or similar unicode escape sequences in HTML/JS served to IE6 clients.
  • ·The exploit targets specifically Windows XP SP0-SP2 with IE 6.0 SP1 (English); the hardcoded return address 0x0c0c0c0c is platform-specific and may not apply to other OS/browser combinations.
  • ·JavaScript variable names and HTML content are randomized at runtime by the Metasploit module, making static string-based detection of variable names unreliable.
  • ·Whitespace in the delivered HTML/JS payload is also randomized, which may evade simple pattern-matching or whitespace-sensitive signatures.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.