CVE-2006-5820
published 2007-04-02CVE-2006-5820: The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.43%
94.3th percentile
The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aol | aol | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the ActiveX control with ProgID 'Sb.SuperBuddy.1' in browser processes; unexpected instantiation outside of AOL client context is suspicious. ↗
- →The exploit uses a heap-spray technique targeting return address 0x0c0c0c0c; detect heap spray patterns filling memory with this address value in browser processes. ↗
- →The exploit calls the 'LinkSBIcons' method on the SuperBuddy ActiveX object with a manipulated function pointer value; monitor for JavaScript invoking this method with non-standard arguments. ↗
- →Exploit delivery uses JavaScript unescape-based shellcode encoding and heap spray; look for large repeated '%u0c0c' or similar unicode escape sequences in HTML/JS served to IE6 clients. ↗
- ·The exploit targets specifically Windows XP SP0-SP2 with IE 6.0 SP1 (English); the hardcoded return address 0x0c0c0c0c is platform-specific and may not apply to other OS/browser combinations. ↗
- ·JavaScript variable names and HTML content are randomized at runtime by the Metasploit module, making static string-based detection of variable names unreliable. ↗
- ·Whitespace in the delivered HTML/JS payload is also randomized, which may evade simple pattern-matching or whitespace-sensitive signatures. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m6ph-5xx8-wchf: The LinkSBIcons method in the SuperBuddy ActiveX control (Sb
ghsa_unreviewed·2022-05-01
CVE-2006-5820 [HIGH] GHSA-m6ph-5xx8-wchf: The LinkSBIcons method in the SuperBuddy ActiveX control (Sb
The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.
VulnCheck
America Online SuperBuddy ActiveX Control Code Execution
vulncheck·2006·CVSS 9.3
CVE-2006-5820 [CRITICAL] America Online SuperBuddy ActiveX Control Code Execution
America Online SuperBuddy ActiveX Control Code Execution
The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.
Affected: aol aol
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://archive.f-secure.com/weblog/archives/00001393; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/34318http://secunia.com/advisories/24714http://securityreason.com/securityalert/2513http://www.kb.cert.org/vuls/id/478225http://www.securityfocus.com/archive/1/464313/100/0/threadedhttp://www.securityfocus.com/bid/23224http://www.tippingpoint.com/security/advisories/TSRT-07-03.htmlhttp://www.vupen.com/english/advisories/2007/1184https://exchange.xforce.ibmcloud.com/vulnerabilities/33347http://osvdb.org/34318http://secunia.com/advisories/24714http://securityreason.com/securityalert/2513http://www.kb.cert.org/vuls/id/478225http://www.securityfocus.com/archive/1/464313/100/0/threadedhttp://www.securityfocus.com/bid/23224http://www.tippingpoint.com/security/advisories/TSRT-07-03.htmlhttp://www.vupen.com/english/advisories/2007/1184https://exchange.xforce.ibmcloud.com/vulnerabilities/33347
2007-04-02
Published
Exploited in the wild