cbcvebase.
CVE-2007-1819
published 2007-04-02

CVE-2007-1819: Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.73%
98.4th percentile
Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a long ProgColor property.

Affected

2 ranges
VendorProductVersion rangeFixed in
hpmercury_quality_center
hpmercury_quality_center

Detection & IOCsextracted from sources · hover to see the quote

filenameSpider90.ocx
versionSpider90.ocx 9.1.0.4353
otherProgColor (overly long property value triggering stack overflow)
otherRET address: 0x0C0C0C0C (heap spray target)
bytes
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45
  • Detect instantiation of the vulnerable SPIDERLib.Loader ActiveX control (CLSID associated with Spider90.ocx) in browser content, particularly when the ProgColor property is set to an abnormally long string.
  • Look for heap spray patterns using the 0x0C0C0C0C address in JavaScript (repeated %u0C0C%u0C0C unescape sequences) delivered alongside ActiveX object instantiation.
  • Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash; shellcode delivered via unescape() will avoid these bytes.
  • The exploit buffer offset to EIP is 64 bytes; a stack-based overflow with exactly 64 bytes of padding before the return address is a strong indicator of this specific exploit.
  • ·The Metasploit module targets Windows XP SP0-SP3 and Windows Vista SP0-SP1 with IE 6.0 SP0-2 and IE 7.0 only; the heap spray and return address (0x0C0C0C0C) are specific to these platform/browser combinations.
  • ·The StackAdjustment of -3500 is used by the Metasploit payload to avoid clobbering itself on the stack; this is exploit-framework-specific and may differ in custom exploit variants.
  • ·The POC shellcode (EDB-3661) opens a bind shell on port 5555; real-world attackers will substitute different payloads, so port 5555 alone is not a reliable indicator.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.