CVE-2007-0348
published 2007-03-21CVE-2007-0348: Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.14%
98.2th percentile
Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| interactual_technologies | interactual_player | — | — |
| intervideo | windvd | — | — |
| roxio | cineplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting the IASystemInfo.dll ActiveX control via an overly long ApplicationType property value (filler of 548 bytes before SEH overwrite). ↗
- →Monitor browser processes loading IASystemInfo.dll as an ActiveX control; instantiation of this control from a web page context is a strong indicator of exploitation. ↗
- →Payload bad characters for this exploit are null byte, tab, LF, CR, single quote, and backslash — shellcode in network traffic will avoid these bytes. ↗
- →The exploit uses an SEH-based overwrite with a stack adjustment of -3500 bytes; look for anomalous SEH chain manipulation in browser processes following large string assignments to ActiveX properties. ↗
- ·The Metasploit module only provides return addresses for two specific Windows targets (Win2000 Pro English ALL and WinXP Pro SP0/SP1 English); exploitation against other OS versions or service packs requires different return addresses. ↗
- ·The vulnerability affects multiple products beyond WinDVD 7, including InterActual Player 2.60.12.0717 and Roxio CinePlayer 3.2; detection scope should cover all products shipping IASystemInfo.dll. ↗
- ·The exploit payload space is limited to 800 bytes, constraining the size of usable shellcode in this attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-0348 WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)
WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: windvd7_applicationtype.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX
control in InterVideo WinDVD 7. By sending a overly long string
to the "ApplicationType()" property, an attacker may be able to
execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ '
Metasploit
WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
metasploit
WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
WinDVD7 IASystemInfo.DLL ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in IASystemInfo.dll ActiveX control in InterVideo WinDVD 7. By sending an overly long string to the "ApplicationType()" property, an attacker may be able to execute arbitrary code.
http://osvdb.org/34314http://osvdb.org/34315http://secunia.com/advisories/23032http://secunia.com/advisories/23075http://secunia.com/advisories/24556http://secunia.com/secunia_research/2007-37/advisory/http://www.kb.cert.org/vuls/id/922969http://www.securityfocus.com/archive/1/463405/100/0/threadedhttp://www.securityfocus.com/bid/23071http://www.vupen.com/english/advisories/2007/1042http://www.vupen.com/english/advisories/2007/1043https://exchange.xforce.ibmcloud.com/vulnerabilities/33186http://osvdb.org/34314http://osvdb.org/34315http://secunia.com/advisories/23032http://secunia.com/advisories/23075http://secunia.com/advisories/24556http://secunia.com/secunia_research/2007-37/advisory/http://www.kb.cert.org/vuls/id/922969http://www.securityfocus.com/archive/1/463405/100/0/threadedhttp://www.securityfocus.com/bid/23071http://www.vupen.com/english/advisories/2007/1042http://www.vupen.com/english/advisories/2007/1043https://exchange.xforce.ibmcloud.com/vulnerabilities/33186
2007-03-21
Published