CVE-2007-1674
published 2007-04-18CVE-2007-1674: Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.86%
99.4th percentile
Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| landesk | landesk_management_suite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for large UDP packets (>280 bytes) sent to port 65535/UDP targeting aolnsrvr.exe; the exploit sends an overly long alphanumeric string of at least 1024 bytes over UDP to trigger the stack buffer overflow. ↗
- →In the non-NX exploit path, the return address overwrite occurs at offset 280 bytes into the payload, followed immediately by the return address and shellcode — look for UDP payloads to port 65535 with a 280-byte alphanumeric prefix followed by a 4-byte little-endian address. ↗
- →For NX-bypass variants, the exploit constructs a 1024-byte alphanumeric buffer with ROP gadgets embedded at specific offsets (280, 296, 300, 304, 308, 312, 324, 332, 652, 684) — anomalous structured UDP payloads of exactly 1024 bytes to port 65535 should be investigated. ↗
- →Successful exploitation runs shellcode under SYSTEM privileges via aolnsrvr.exe; alert on unexpected child processes or network connections spawned from aolnsrvr.exe. ↗
- ·The Metasploit module targets only Aolnsrvr version 4.0 across Windows 2000/2003/XP platforms; the ROP gadget offsets and return address (0x00423554) are specific to this binary version and may not apply to other builds. ↗
- ·The payload space is constrained to 336 bytes with a stack adjustment of -3500; shellcode exceeding this space will not function correctly with this exploit. ↗
- ·The NX-bypass path uses hardcoded image base 0x00400000 and process info offsets (0xed for 2003 SP1-2, 0xe4 for XP SP2); these are ASLR-incompatible and assume a fixed load address for aolnsrvr.exe. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LANDesk Management Suite 8.7 - Alert Service Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-1674 LANDesk Management Suite 8.7 - Alert Service Buffer Overflow (Metasploit)
LANDesk Management Suite 8.7 - Alert Service Buffer Overflow (Metasploit)
---
##
# $Id: landesk_aolnsrvr.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending
an overly long string to the Alert Service, a buffer is overwritten and arbitrary
code can be executed.
},
'Author' => 'MC',
'Version' => '$Revision: 9262 $',
'References' =>
[
['CVE',
Exploit-DB
LANDesk Management Suite 8.7 Alert Service - 'AOLSRVR.exe' Remote Buffer Overflow
exploitdb·2007-04-13
CVE-2007-1674 LANDesk Management Suite 8.7 Alert Service - 'AOLSRVR.exe' Remote Buffer Overflow
LANDesk Management Suite 8.7 Alert Service - 'AOLSRVR.exe' Remote Buffer Overflow
---
source: https://www.securityfocus.com/bid/23483/info
LANDesk Management Suite is prone to a remote stack-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue would result in the complete compromise of affected computers. Failed exploit attempts will result in a denial of service.
This issue affects LANDesk Management Suite 8.7; prior versions may also be affected.
##
# $Id: landesk_aolnsrvr.rb 4886 2007-05-07 04:48:45Z hdm $
##
##
# This file is part of the Metasploit Frame
Metasploit
LANDesk Management Suite 8.7 Alert Service Buffer Overflow
metasploit
LANDesk Management Suite 8.7 Alert Service Buffer Overflow
LANDesk Management Suite 8.7 Alert Service Buffer Overflow
This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending an overly long string to the Alert Service, a buffer is overwritten and arbitrary code can be executed.
No writeups or analysis indexed.
http://kb.landesk.com/display/4n/kb/article.asp?aid=4142http://osvdb.org/34964http://secunia.com/advisories/24892http://www.securityfocus.com/archive/1/465643/100/0/threadedhttp://www.securityfocus.com/bid/23483http://www.securitytracker.com/id?1017912http://www.tippingpoint.com/security/advisories/TSRT-07-04.htmlhttp://www.vupen.com/english/advisories/2007/1391https://exchange.xforce.ibmcloud.com/vulnerabilities/33657http://kb.landesk.com/display/4n/kb/article.asp?aid=4142http://osvdb.org/34964http://secunia.com/advisories/24892http://www.securityfocus.com/archive/1/465643/100/0/threadedhttp://www.securityfocus.com/bid/23483http://www.securitytracker.com/id?1017912http://www.tippingpoint.com/security/advisories/TSRT-07-04.htmlhttp://www.vupen.com/english/advisories/2007/1391https://exchange.xforce.ibmcloud.com/vulnerabilities/33657
2007-04-18
Published