CVE-2007-0325
published 2007-02-20CVE-2007-0325: Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.01%
98.2th percentile
Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trend_micro | client-server-messaging_security | — | — |
| trend_micro | officescan_corporate_edition | — | — |
| trend_micro | officescan_corporate_edition | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
rand_text_alpha(2149) + [target.ret].pack('V')- →Detect ActiveX instantiation of the OfficeScanSetupINI.dll control in HTML, followed by assignment of an overly long string (>2149 bytes) to the CgiOnUpdate property. ↗
- →Flag HTTP responses containing HTML that sets the CgiOnUpdate property of an ActiveX object to a string exceeding ~2149 characters, indicative of the stack buffer overflow exploit pattern. ↗
- →Monitor for the return address 0x7cc58fd8 appearing in network payloads targeting Windows XP SP2 English systems, as this is the hardcoded RET value used by the Metasploit module. ↗
- →Bad characters to filter/watch for in payload delivery context: null byte, tab, newline, carriage return, single quote, and backslash. ↗
- ·The hardcoded return address (0x7cc58fd8) is specific to Windows XP SP2 Pro English; the exploit will not function reliably against other OS versions or service packs without a different RET value. ↗
- ·The Metasploit module uses randomized variable and string names on each request, meaning static string-based signatures on JavaScript variable names will not reliably detect this exploit. ↗
- ·Payload space is constrained to 800 bytes with a stack adjustment of -3500; shellcode exceeding this space will not execute correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trend Micro OfficeScan - Client ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-0325 Trend Micro OfficeScan - Client ActiveX Control Buffer Overflow (Metasploit)
Trend Micro OfficeScan - Client ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: trendmicro_officescan.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Trend Micro OfficeScan
Corporate Edition 7.3. By sending an overly long string to the
"CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control,
an attacker may be able to execute arbitrary code.
},
'Lice
Metasploit
Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
metasploit
Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
Trend Micro OfficeScan Client ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the "CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288http://osvdb.org/33040http://secunia.com/advisories/24193http://www.kb.cert.org/vuls/id/784369http://www.securityfocus.com/bid/22585http://www.securitytracker.com/id?1017664http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txthttp://www.vupen.com/english/advisories/2007/0638http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288http://osvdb.org/33040http://secunia.com/advisories/24193http://www.kb.cert.org/vuls/id/784369http://www.securityfocus.com/bid/22585http://www.securitytracker.com/id?1017664http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txthttp://www.vupen.com/english/advisories/2007/0638
2007-02-20
Published