cbcvebase.
CVE-2007-0348
published 2007-03-21

CVE-2007-0348: Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172…

PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.14%
98.2th percentile
Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property.

Affected

3 ranges
VendorProductVersion rangeFixed in
interactual_technologiesinteractual_player
intervideowindvd
roxiocineplayer

Detection & IOCsextracted from sources · hover to see the quote

filenameIASystemInfo.dll
commandApplicationType
  • Detect exploitation attempts targeting the IASystemInfo.dll ActiveX control via an overly long ApplicationType property value (filler of 548 bytes before SEH overwrite).
  • Monitor browser processes loading IASystemInfo.dll as an ActiveX control; instantiation of this control from a web page context is a strong indicator of exploitation.
  • Payload bad characters for this exploit are null byte, tab, LF, CR, single quote, and backslash — shellcode in network traffic will avoid these bytes.
  • The exploit uses an SEH-based overwrite with a stack adjustment of -3500 bytes; look for anomalous SEH chain manipulation in browser processes following large string assignments to ActiveX properties.
  • ·The Metasploit module only provides return addresses for two specific Windows targets (Win2000 Pro English ALL and WinXP Pro SP0/SP1 English); exploitation against other OS versions or service packs requires different return addresses.
  • ·The vulnerability affects multiple products beyond WinDVD 7, including InterActual Player 2.60.12.0717 and Roxio CinePlayer 3.2; detection scope should cover all products shipping IASystemInfo.dll.
  • ·The exploit payload space is limited to 800 bytes, constraining the size of usable shellcode in this attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.