CVE-2007-0018
published 2007-01-24CVE-2007-0018: Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to…
PriorityP272critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
35.16%
98.2th percentile
Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x.
Affected
82 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altdo | convert_mp3_master | — | — |
| altdo | mp3_record_and_edit_audio_master | — | — |
| americanshareware | mp3_wav_converter | — | — |
| audio_edit_magic | audio_edit_magic | — | — |
| bearshare | bearshare | — | — |
| cdburnerxp | cdburnerxp_pro | — | — |
| cheetahburner | cheetah_cd_burner | — | — |
| cheetahburner | cheetah_dvd_burner | — | — |
| code-it_softare | abasic_editor | — | — |
| code-it_softare | wave_mp3_editor | — | — |
| dandans_digital_media_products | easy_audio_editor | — | — |
| dandans_digital_media_products | full_audio_converter | — | — |
| dandans_digital_media_products | music_editing_master | — | — |
| dandans_digital_media_products | visual_video_converter | — | — |
| digital_borneo | audio_mixer_and_editor | — | — |
| easy_ringtone_maker | easy_ringtone_maker | — | — |
| expstudio | audio_editor | — | — |
| iaudiosoft.com | absolute_mp3_splitter | — | — |
| iaudiosoft.com | absolute_sound_recorder | — | — |
| iaudiosoft.com | absolute_video_to_audio_converter | — | — |
| imesh.com | imesh | — | — |
| j_hepple_products | fx_audio_concat | — | — |
| j_hepple_products | fx_audio_editor | — | — |
| j_hepple_products | fx_audio_tools | — | — |
| j_hepple_products | fx_magic_music | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x4a\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x5a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x7a\x49
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36
- →The Metasploit module targets Windows XP SP2/SP3 with IE6; the payload uses a pop/pop/ret gadget in msls31.dll (IE6) at 0x746C15A9 and a jmp esp in user32.dll at 0x774699bf — these ROP gadget addresses can be used as memory-pattern indicators in exploit traffic. ↗
- →The exploit is delivered as a malicious webpage; monitor for HTML responses containing both an ActiveX object tag referencing NCTAudioFile2 and a call to SetFormatLikeSample with a large string (>4000 chars). ↗
- →The PoC2 (shinnai) uses a 4116-byte 'A' buffer before the EIP overwrite; a string of 4116+ identical characters passed to SetFormatLikeSample is a reliable detection heuristic. ↗
- ·The ROP/return gadget addresses (0x746C15A9 in msls31.dll, 0x774699bf and 0x77D7AAEB in user32.dll) are OS/patch-level specific and will not be reliable across different Windows versions or patch levels. ↗
- ·On Windows XP SP2 with IE7, the exploit results in a DoS (IE crash) rather than reliable RCE without a debugger attached; RCE was only confirmed on Win2k SP4 with IE6. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gwfv-7rcq-hxcc: Stack-based buffer overflow in the NCTAudioFile2
ghsa_unreviewed·2022-05-01
CVE-2007-0018 [HIGH] CWE-119 GHSA-gwfv-7rcq-hxcc: Stack-based buffer overflow in the NCTAudioFile2
Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digit
VulnCheck
altdo convert_mp3_master Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 9.3
CVE-2007-0018 [CRITICAL] altdo convert_mp3_master Improper Restriction of Operations within the Bounds of a Memory Buffer
altdo convert_mp3_master Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage
Red Hat
security flaw
vendor_redhat·2005-12-19·CVSS 7.8
CVE-2005-4348 [HIGH] security flaw
security flaw
fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0018.html
This issue did not affect Red Hat Enterprise Linux 2.1 and 3.
No detection rules found.
Exploit-DB
NCTAudioFile2 2.x - ActiveX Control 'SetFormatLikeSample()' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2007-0018 NCTAudioFile2 2.x - ActiveX Control 'SetFormatLikeSample()' Remote Buffer Overflow (Metasploit)
NCTAudioFile2 2.x - ActiveX Control 'SetFormatLikeSample()' Remote Buffer Overflow (Metasploit)
---
##
# $Id: nctaudiofile2_setformatlikesample.rb 9668 2010-07-03 01:38:15Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX
Control provided by various audio applications. By sending a overly long
string to the "SetFormatLikeSample()" method, an attacker may be abl
Exploit-DB
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)
exploitdb·2007-04-27
CVE-2007-0018 Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow (2)
---
Sub tryMe
'------------------------------------------------------------------
'[PoC2] IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w
'original advisory: http://secunia.com/advisories/23475/
'author: shinnai
'mail: shinnai[at]autistici[dot]org
'site: http://shinnai.altervista.org
'based on: http://www.milw0rm.com/exploits/3728
'(see what InTeL said about Win XP Pro SP2 and IE7, enjoy brotha ;)
'modified for working on Win XP Pro SP2 with IE7 full patched
'------------------------------------------------------------------
buff = String (4116, "A")
get_EIP = unescape("%EB%AA%D7%77") '0x77D7AAEB call esp (from user32.dll)
nop = unescape("%90%90%90%90%90%90%90%90%90%90")
shellcode = u
Exploit-DB
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Overflow
exploitdb·2007-04-13
CVE-2007-0018 Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Overflow
Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Overflow
---
/*
[PoC] 79 Exes's / IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w
Auther: InTeL
Original Advisory: http://secunia.com/secunia_research/
Attack Vector: EIP smash
Type: Remote (Malicious webpage)
Mail; [email protected]
Tested on Win2k SP4 (English), with Internet Explorer 6
*Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7 but
with XP Pro SP2 and IE 7 combo it seems to only result in a DoS, crashing IE,
but when Ollydbg is attached to IExplorer and we go through the exploit process
Calc.exe is executed (kinda confusing). So hopefully someone else will be able to get
RCE with it if you do though contact me and let me kno how you did it
List of Exes that come with NCTAu
Metasploit
NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
metasploit
NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow
This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending an overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.
Bugzilla
CVE-2005-4348 security flaw
bugzilla·2018-08-16·CVSS 7.8
CVE-2005-4348 [HIGH] CVE-2005-4348 security flaw
CVE-2005-4348 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
fetchmail before 6.3.1 and before 6.2.5.5, when configured for multidrop mode, allows remote attackers to cause a denial of service (application crash) by sending messages without headers from upstream mail servers.
---
Statement:
The Red Hat Security Response Team has rated this issue as having low security impact. An update is available for Red Hat Enterprise Linux 4 to correct this issue:
http://rhn.redhat.com/errata/RHSA-2007-0018.html
This issue did not affect Red Hat Enterprise Linux 2.1 and 3.
Bugzilla
CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly
bugzilla·2007-01-09·CVSS 7.8
CVE-2006-5867 [HIGH] CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly
CVE-2006-5867 fetchmail not enforcing TLS for POP3 properly
Description of problem:
fetchmail issued an advisoty fetchmail-SA-2006-02 fixing numerous issues
with TLS support. Two of them raise an opportiounity for an attacker to do
a MiM attack. See the attached e-mail from mitr for more details.
Discussion:
Created attachment 145163
Statement from mitr about the issues
---
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2007-0018.html
http://secunia.com/advisories/22922http://secunia.com/advisories/23475http://secunia.com/advisories/23485http://secunia.com/advisories/23493http://secunia.com/advisories/23495http://secunia.com/advisories/23511http://secunia.com/advisories/23516http://secunia.com/advisories/23530http://secunia.com/advisories/23532http://secunia.com/advisories/23534http://secunia.com/advisories/23535http://secunia.com/advisories/23536http://secunia.com/advisories/23541http://secunia.com/advisories/23542http://secunia.com/advisories/23543http://secunia.com/advisories/23544http://secunia.com/advisories/23546http://secunia.com/advisories/23548http://secunia.com/advisories/23550http://secunia.com/advisories/23551http://secunia.com/advisories/23552http://secunia.com/advisories/23553http://secunia.com/advisories/23554http://secunia.com/advisories/23557http://secunia.com/advisories/23558http://secunia.com/advisories/23560http://secunia.com/advisories/23561http://secunia.com/advisories/23562http://secunia.com/advisories/23565http://secunia.com/advisories/23568http://secunia.com/advisories/23745http://secunia.com/advisories/23753http://secunia.com/advisories/23795http://secunia.com/advisories/25993http://secunia.com/advisories/26046http://secunia.com/advisories/26100http://secunia.com/advisories/26101http://secunia.com/advisories/28407http://secunia.com/advisories/30406http://secunia.com/advisories/30424http://secunia.com/advisories/30439http://secunia.com/advisories/30446http://secunia.com/advisories/30447http://secunia.com/advisories/30450http://secunia.com/advisories/30459http://secunia.com/blog/6/http://secunia.com/secunia_research/2007-10/advisory/http://secunia.com/secunia_research/2007-11/advisory/http://secunia.com/secunia_research/2007-12/advisory/http://secunia.com/secunia_research/2007-13/advisory/http://secunia.com/secunia_research/2007-14/advisory/http://secunia.com/secunia_research/2007-15/advisory/http://secunia.com/secunia_research/2007-16/advisory/http://secunia.com/secunia_research/2007-17/advisory/http://secunia.com/secunia_research/2007-18/advisory/http://secunia.com/secunia_research/2007-19/advisory/http://secunia.com/secunia_research/2007-2/advisory/http://secunia.com/secunia_research/2007-20/advisory/http://secunia.com/secunia_research/2007-21/advisory/http://secunia.com/secunia_research/2007-22/advisory/http://secunia.com/secunia_research/2007-23/advisory/http://secunia.com/secunia_research/2007-24/advisory/http://secunia.com/secunia_research/2007-25/advisory/http://secunia.com/secunia_research/2007-26/advisory/http://secunia.com/secunia_research/2007-27/advisory/http://secunia.com/secunia_research/2007-28/advisory/http://secunia.com/secunia_research/2007-29/advisory/http://secunia.com/secunia_research/2007-3/advisory/http://secunia.com/secunia_research/2007-30/advisory/http://secunia.com/secunia_research/2007-31/advisory/http://secunia.com/secunia_research/2007-32/advisory/http://secunia.com/secunia_research/2007-33/advisory/http://secunia.com/secunia_research/2007-34/advisory/http://secunia.com/secunia_research/2007-4/advisory/http://secunia.com/secunia_research/2007-5/advisory/http://secunia.com/secunia_research/2007-50/advisory/http://secunia.com/secunia_research/2007-6/advisory/http://secunia.com/secunia_research/2007-7/advisory/http://secunia.com/secunia_research/2007-8/advisory/http://secunia.com/secunia_research/2007-9/advisory/http://www.kb.cert.org/vuls/id/292713http://www.securityfocus.com/archive/1/457936/100/200/threadedhttp://www.securityfocus.com/archive/1/457940/100/200/threadedhttp://www.securityfocus.com/archive/1/457965/100/200/threadedhttp://www.securityfocus.com/bid/22196http://www.securityfocus.com/bid/23892http://www.vupen.com/english/advisories/2007/0310https://exchange.xforce.ibmcloud.com/vulnerabilities/31707http://secunia.com/advisories/22922http://secunia.com/advisories/23475http://secunia.com/advisories/23485http://secunia.com/advisories/23493http://secunia.com/advisories/23495http://secunia.com/advisories/23511http://secunia.com/advisories/23516http://secunia.com/advisories/23530http://secunia.com/advisories/23532http://secunia.com/advisories/23534http://secunia.com/advisories/23535http://secunia.com/advisories/23536
+ 76 more references
2007-01-24
Published
Exploited in the wild