cbcvebase.
CVE-2007-1682
published 2008-08-27

CVE-2007-1682: Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute…

PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
29.61%
98.0th percentile
Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute arbitrary code via unspecified calls to the (1) BuildPath, (2) GetDriveName, (3) DriveExists, or (4) DeleteFile method.

Affected

24 ranges
VendorProductVersion rangeFixed in
softartisansxfile<= 2.3.4
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile
softartisansxfile

Detection & IOCsextracted from sources · hover to see the quote

filenameSAFmgPws.dll
filenameSAFmgPwd.dll
otherSoftArtisans.FileManager.1
  • Detect instantiation of the vulnerable ActiveX ProgID 'SoftArtisans.FileManager.1' in browser script, which is the attack vector used to trigger the overflow.
  • Monitor calls to GetDriveName(), BuildPath(), DriveExists(), or DeleteFile() methods on the SoftArtisans FileManager ActiveX control with overly long string arguments as exploitation indicators.
  • The exploit uses a heap-spray return address of 0x0C0C0C0C targeting Windows XP SP0-SP3 / Vista with IE 6/7; look for this value in memory or crash dumps associated with browser processes.
  • Presence of SAFmgPws.dll or SAFmgPwd.dll loaded in a browser process (iexplore.exe) should be treated as a risk indicator; versions prior to 2.4.0 are vulnerable.
  • ·The DLL filename is inconsistently reported across sources — NVD names it SAFmgPws.dll while the Metasploit module names it SAFmgPwd.dll (version 2.0.5.3); detections should cover both filenames.
  • ·The Metasploit module randomizes all JavaScript variable names at runtime, so static string-based signatures on variable names will not reliably detect this exploit.
  • ·The module also calls Rex::Text.randomize_space(content) on the final HTML, further evading whitespace-sensitive signatures.
  • ·Payload bad characters are limited to null bytes only ('\x00'), meaning most shellcode encoders will produce valid payloads with minimal filtering.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.