CVE-2007-1559
published 2007-04-11CVE-2007-1559: Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.81%
98.1th percentile
Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified long property values to SonicMediaPlayer.dll or (2) long arguments to unspecified methods in SonicMediaPlayer.dll.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roxio | cineplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
bytes↗
%u0c0c%u0c0c
- →Detect heap spray pattern: repeated 0x0C0C0C0C DWORD used as NOP sled and return address in browser memory, indicative of heap-spray exploitation of SonicMediaPlayer.dll ActiveX control. ↗
- →Monitor for instantiation of the SonicMediaPlayer ActiveX control (SonicMediaPlayer.dll) inside Internet Explorer, especially when the DiskType method is called with an argument exceeding 200 characters. ↗
- →Exploit is delivered via a malicious HTML document; look for HTML pages embedding the SonicMediaPlayer ActiveX CLSID with a long DiskType parameter value. ↗
- →Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash — filter or alert on unescape() calls in HTML/JS containing shellcode blobs avoiding these bytes. ↗
- ·The Metasploit module targets SonicMediaPlayer.dll version 3.0.0.1 specifically; the heap-spray return address 0x0C0C0C0C is hardcoded for Windows XP SP0-SP3 and Vista SP0-SP1 with IE 6.0 SP0-2 and IE 7.0 only. ↗
- ·CVE-2007-1559 may overlap with CVE-2009-4841 (heap-based overflow in the same DLL via the same DiskType method); detections should cover both stack and heap overflow variants. ↗
- ·The exploit payload space is limited to 1024 bytes and requires a stack adjustment of -3500 bytes; payloads larger than 1024 bytes will not function with this module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5wh5-58m7-cqc8: Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in SonicMediaPlayer
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2009-4841 [CRITICAL] CWE-119 GHSA-5wh5-58m7-cqc8: Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in SonicMediaPlayer
Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in SonicMediaPlayer.dll in Roxio CinePlayer 3.2 allows remote attackers to execute arbitrary code via a long argument to the DiskType method. NOTE: this might overlap CVE-2007-1559.
GHSA
GHSA-w47c-78m2-3c96: Multiple stack-based buffer overflows in SonicDVDDashVRNav
ghsa_unreviewed·2022-05-01
CVE-2007-1559 [HIGH] GHSA-w47c-78m2-3c96: Multiple stack-based buffer overflows in SonicDVDDashVRNav
Multiple stack-based buffer overflows in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allow remote attackers to execute arbitrary code via (1) unspecified long property values to SonicMediaPlayer.dll or (2) long arguments to unspecified methods in SonicMediaPlayer.dll.
No detection rules found.
Exploit-DB
Roxio CinePlayer - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-1559 Roxio CinePlayer - ActiveX Control Buffer Overflow (Metasploit)
Roxio CinePlayer - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: roxio_cineplayer.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Roxio CinePlayer ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX
control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.
By setting an overly long value to 'DiskType', an attacker can overrun
a buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author'
Exploit-DB
Roxio CinePlayer 3.2 - 'SonicDVDDashVRNav.dll' ActiveX Control Remote Buffer Overflow
exploitdb·2007-04-11
CVE-2007-1559 Roxio CinePlayer 3.2 - 'SonicDVDDashVRNav.dll' ActiveX Control Remote Buffer Overflow
Roxio CinePlayer 3.2 - 'SonicDVDDashVRNav.dll' ActiveX Control Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/23412/info
Roxio CinePlayer is prone to a stack-based buffer-overflow vulnerability because it fails to sufficiently check boundaries of user-supplied input before copying it to an insufficiently sized memory buffer.
A remote attacker may exploit this issue by enticing victims into opening a malicious HTML document.
Exploiting this issue allows the attacker to execute arbitrary code in the context of applications using the affected ActiveX control and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.
Roxio CinePlayer 3.2 is vulnerable; other versions may also be affected.
Roxio CinePlayer 3.2 (SonicMed
Metasploit
Roxio CinePlayer ActiveX Control Buffer Overflow
metasploit
Roxio CinePlayer ActiveX Control Buffer Overflow
Roxio CinePlayer ActiveX Control Buffer Overflow
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to 'DiskType', an attacker can overrun a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/34779http://secunia.com/advisories/22251http://secunia.com/secunia_research/2007-46/advisory/http://www.securityfocus.com/bid/23412http://www.securitytracker.com/id?1017906http://www.vupen.com/english/advisories/2007/1337https://exchange.xforce.ibmcloud.com/vulnerabilities/33590http://osvdb.org/34779http://secunia.com/advisories/22251http://secunia.com/secunia_research/2007-46/advisory/http://www.securityfocus.com/bid/23412http://www.securitytracker.com/id?1017906http://www.vupen.com/english/advisories/2007/1337https://exchange.xforce.ibmcloud.com/vulnerabilities/33590
2007-04-11
Published