CVE-2006-6707
published 2006-12-23CVE-2006-6707: Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader ActiveX control (NeoTraceExplorer.dll) in NeoTrace Express 3.25 and NeoTrace Pro (aka McAfee…
PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.33%
98.9th percentile
Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader ActiveX control (NeoTraceExplorer.dll) in NeoTrace Express 3.25 and NeoTrace Pro (aka McAfee Visual Trace) 3.25 allows remote attackers to execute arbitrary code via a long argument string to the TraceTarget method. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | neotrace | — | — |
| mcafee | visual_trace | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ActiveX instantiation of NeoTraceExplorer.NeoTraceLoader CLSID in HTML/script content delivered via browser, followed by a call to TraceTarget() with an argument string exceeding ~483 bytes. ↗
- →Monitor for heap spray patterns using repeated 0x41414141 NOP-slide blocks of 0x400000 bytes targeting address 0x05050505 in browser processes (Internet Explorer), indicative of the PoC exploit technique. ↗
- →Alert on Internet Explorer loading NeoTraceExplorer.dll followed by a stack buffer overflow condition; the Metasploit module uses offset 483 bytes before overwriting EIP with 0x7c941eed on Windows XP SP2 English. ↗
- →Flag payloads with bad characters \x00\x09\x0a\x0d and quote/backslash stripped, consistent with the Metasploit module's BadChars constraint for this exploit. ↗
- →Detect bind-shell shellcode on port 64876 spawned from iexplore.exe or a child process, as used in the public PoC exploit for this vulnerability. ↗
- ·The classic JMP ESP technique is not viable for this exploit because Internet Explorer replaces bytes outside the 0x00–0x7F ASCII range with 0x3F ('?'), corrupting the return address; heap spraying to 0x05050505 is required instead. ↗
- ·The Metasploit module's return address (0x7c941eed) is specific to Windows XP Pro SP2 English; different OS/SP combinations will require different offsets and return addresses. ↗
- ·The PoC exploit was tested only on Windows XP SP2 (Spanish) with Internet Explorer 7.0.5730.11 and NeoTracePro 3.25; exploitability on other configurations is not confirmed by the author. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
McAfee Visual Trace - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-6707 McAfee Visual Trace - ActiveX Control Buffer Overflow (Metasploit)
McAfee Visual Trace - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: mcafeevisualtrace_tracetarget.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'McAfee Visual Trace ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX
Control (NeoTraceExplorer.dll 1.0.0.1). By sending a overly long string to the
"TraceTarget()" method, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Autho
Exploit-DB
NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow
exploitdb·2007-07-07
CVE-2006-6707 NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow
NeoTracePro 3.25 - ActiveX 'TraceTarget()' Remote Buffer Overflow
---
Date: 24/03/07
México
/**** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE *** DON'T DISTRIBUTE *** PRIVATE ****/
I found this buffer overflow fuzzing NeoTraceExplorer.dll (an ActiveX Control) with ComRaider from iDefense.
It has a method called TraceTarget() which can be exploited passing a large string (~486 bytes) due there's no boundary checking.
Unfortunately, somebody else found this vulnerability few months ago, but this person didn't release an exploit ;)
just published an advisory ( http://secunia.com/advisories/23463).
First of all, this b0f cannot be exploitable with the classic technique (EIP points to an address that has a 'jmp esp') because
each byte of the ret address MUST BE between 0x00 and 0x7f (ascii
Metasploit
McAfee Visual Trace ActiveX Control Buffer Overflow
metasploit
McAfee Visual Trace ActiveX Control Buffer Overflow
McAfee Visual Trace ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the "TraceTarget()" method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
2006-12-23
Published