CVE-2007-1682
published 2008-08-27CVE-2007-1682: Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute…
PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.61%
98.0th percentile
Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute arbitrary code via unspecified calls to the (1) BuildPath, (2) GetDriveName, (3) DriveExists, or (4) DeleteFile method.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softartisans | xfile | <= 2.3.4 | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
| softartisans | xfile | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX ProgID 'SoftArtisans.FileManager.1' in browser script, which is the attack vector used to trigger the overflow. ↗
- →Monitor calls to GetDriveName(), BuildPath(), DriveExists(), or DeleteFile() methods on the SoftArtisans FileManager ActiveX control with overly long string arguments as exploitation indicators. ↗
- →The exploit uses a heap-spray return address of 0x0C0C0C0C targeting Windows XP SP0-SP3 / Vista with IE 6/7; look for this value in memory or crash dumps associated with browser processes. ↗
- →Presence of SAFmgPws.dll or SAFmgPwd.dll loaded in a browser process (iexplore.exe) should be treated as a risk indicator; versions prior to 2.4.0 are vulnerable. ↗
- ·The DLL filename is inconsistently reported across sources — NVD names it SAFmgPws.dll while the Metasploit module names it SAFmgPwd.dll (version 2.0.5.3); detections should cover both filenames. ↗
- ·The Metasploit module randomizes all JavaScript variable names at runtime, so static string-based signatures on variable names will not reliably detect this exploit. ↗
- ·The module also calls Rex::Text.randomize_space(content) on the final HTML, further evading whitespace-sensitive signatures. ↗
- ·Payload bad characters are limited to null bytes only ('\x00'), meaning most shellcode encoders will produce valid payloads with minimal filtering. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SoftArtisans XFile FileManager - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-1682 SoftArtisans XFile FileManager - ActiveX Control Buffer Overflow (Metasploit)
SoftArtisans XFile FileManager - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: softartisans_getdrivename.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SoftArtisans XFile FileManager ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control
(SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LIC
Metasploit
SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
metasploit
SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
SoftArtisans XFile FileManager ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SoftArtisans XFile FileManager ActiveX control (SAFmgPwd.dll 2.0.5.3). When sending an overly long string to the GetDriveName() method an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/31615http://support.softartisans.com/Support-114.aspxhttp://www.kb.cert.org/vuls/id/914785http://www.securityfocus.com/bid/30826http://secunia.com/advisories/31615http://support.softartisans.com/Support-114.aspxhttp://www.kb.cert.org/vuls/id/914785http://www.securityfocus.com/bid/30826
2008-08-27
Published