cbcvebase.
CVE-2007-0325
published 2007-02-20

CVE-2007-0325: Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.01%
98.2th percentile
Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document.

Affected

3 ranges
VendorProductVersion rangeFixed in
trend_microclient-server-messaging_security
trend_microofficescan_corporate_edition
trend_microofficescan_corporate_edition

Detection & IOCsextracted from sources · hover to see the quote

filenameOfficeScanSetupINI.dll
commandCgiOnUpdate()
other0x7cc58fd8
bytes
rand_text_alpha(2149) + [target.ret].pack('V')
  • Detect ActiveX instantiation of the OfficeScanSetupINI.dll control in HTML, followed by assignment of an overly long string (>2149 bytes) to the CgiOnUpdate property.
  • Flag HTTP responses containing HTML that sets the CgiOnUpdate property of an ActiveX object to a string exceeding ~2149 characters, indicative of the stack buffer overflow exploit pattern.
  • Monitor for the return address 0x7cc58fd8 appearing in network payloads targeting Windows XP SP2 English systems, as this is the hardcoded RET value used by the Metasploit module.
  • Bad characters to filter/watch for in payload delivery context: null byte, tab, newline, carriage return, single quote, and backslash.
  • ·The hardcoded return address (0x7cc58fd8) is specific to Windows XP SP2 Pro English; the exploit will not function reliably against other OS versions or service packs without a different RET value.
  • ·The Metasploit module uses randomized variable and string names on each request, meaning static string-based signatures on JavaScript variable names will not reliably detect this exploit.
  • ·Payload space is constrained to 800 bytes with a stack adjustment of -3500; shellcode exceeding this space will not execute correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.