cbcvebase.
CVE-2006-6884
published 2006-12-31

CVE-2006-6884: Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.49%
90.3th percentile
Buffer overflow in the WZFILEVIEW.FileViewCtrl.61 ActiveX control (aka Sky Software "FileView" ActiveX control) for WinZip 10.0 Build 6667 allows remote attackers to execute arbitrary code via a long argument to the CreateNewFolderFromName method, a different vulnerability than CVE-2006-5198.

Affected

1 ranges
VendorProductVersion rangeFixed in
winzipwinzip

Detection & IOCsextracted from sources · hover to see the quote

otherWZFILEVIEW.FileViewCtrl.61
other0x02DA3269
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713-BA413F034904}
other{A09AE68F-B14D-43ED-B713-BA413F034904}
  • The exploit triggers the vulnerability via the FilePattern property assignment inside the WZFILEVIEW_OnAfterItemAdd VBScript event handler, passing an oversized string to smash the stack.
  • The exploit embeds shellcode inside a crafted BMP image file written to disk; the BMP header is followed by a large NOP sled (999999 bytes) and then shellcode payload.
  • The overflow payload uses 265 'A' bytes before the return address overwrite, followed by 1827 more 'A' bytes; this specific padding pattern can be used in memory forensics or crash analysis.
  • The ActiveX CLSID {A09AE68F-B14D-43ED-B713-BA413F034904} (WZFILEVIEW.FileViewCtrl.61) should be blocked via kill-bit; its absence from the IE ActiveX Compatibility registry key indicates the control is enabled and exploitable.
  • ·The return address 0x02DA3269 is specific to WinXP SP2 (English) with WinZip 10.0 build 6667 and IE 6.0.2900.2180; it will not work on other OS/build combinations.
  • ·Microsoft had already disabled the ActiveX control via a kill-bit (Compatibility Flags=0x400) prior to this CVE being published; the kill-bit registry key must be absent for the exploit to function.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.