cbcvebase.
CVE-2006-6707
published 2006-12-23

CVE-2006-6707: Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader ActiveX control (NeoTraceExplorer.dll) in NeoTrace Express 3.25 and NeoTrace Pro (aka McAfee…

PriorityP346high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.33%
98.9th percentile
Stack-based buffer overflow in the NeoTraceExplorer.NeoTraceLoader ActiveX control (NeoTraceExplorer.dll) in NeoTrace Express 3.25 and NeoTrace Pro (aka McAfee Visual Trace) 3.25 allows remote attackers to execute arbitrary code via a long argument string to the TraceTarget method. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.

Affected

2 ranges
VendorProductVersion rangeFixed in
mcafeeneotrace
mcafeevisual_trace

Detection & IOCsextracted from sources · hover to see the quote

filenameNeoTraceExplorer.dll
versionNeoTraceExplorer.dll 1.0.0.1
commandTraceTarget(<string of ~486 bytes>)
  • Detect ActiveX instantiation of NeoTraceExplorer.NeoTraceLoader CLSID in HTML/script content delivered via browser, followed by a call to TraceTarget() with an argument string exceeding ~483 bytes.
  • Monitor for heap spray patterns using repeated 0x41414141 NOP-slide blocks of 0x400000 bytes targeting address 0x05050505 in browser processes (Internet Explorer), indicative of the PoC exploit technique.
  • Alert on Internet Explorer loading NeoTraceExplorer.dll followed by a stack buffer overflow condition; the Metasploit module uses offset 483 bytes before overwriting EIP with 0x7c941eed on Windows XP SP2 English.
  • Flag payloads with bad characters \x00\x09\x0a\x0d and quote/backslash stripped, consistent with the Metasploit module's BadChars constraint for this exploit.
  • Detect bind-shell shellcode on port 64876 spawned from iexplore.exe or a child process, as used in the public PoC exploit for this vulnerability.
  • ·The classic JMP ESP technique is not viable for this exploit because Internet Explorer replaces bytes outside the 0x00–0x7F ASCII range with 0x3F ('?'), corrupting the return address; heap spraying to 0x05050505 is required instead.
  • ·The Metasploit module's return address (0x7c941eed) is specific to Windows XP Pro SP2 English; different OS/SP combinations will require different offsets and return addresses.
  • ·The PoC exploit was tested only on Windows XP SP2 (Spanish) with Internet Explorer 7.0.5730.11 and NeoTracePro 3.25; exploitability on other configurations is not confirmed by the author.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.