cbcvebase.
CVE-2007-2193
published 2007-04-24

CVE-2007-2193: Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build 108, Pro 8.1 Build 99, and Photo Editor 4.0 Build 195 allows user-assisted remote…

PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.57%
98.3th percentile
Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build 108, Pro 8.1 Build 99, and Photo Editor 4.0 Build 195 allows user-assisted remote attackers to execute arbitrary code via a crafted XPM file with a long section string. NOTE: some of these details are obtained from third party information.

Affected

3 ranges
VendorProductVersion rangeFixed in
acd_systemsacdsee
acd_systemsacdsee
acd_systemsphoto_editor

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.xpm
other0x10020758
port4444
bytes
\x2f\x2a\x20\x58\x50\x4d\x20\x2a\x2f\x0d\x0a\x73\x74\x61\x74\x69\x63\x20\x63\x68\x61\x72\x20\x2a\x50\x69\x78\x6d\x61\x70\x5b\x5d\x20\x3d\x20\x7b\x0d\x0a\x22\x35\x30\x39\x20\x34\x33\x38\x20\x32\x35\x36\x20\x33\x22\x2c\x0d\x0a\x22
bytes
\x05\x03\x81\x7C
bytes
\x90\x90\xeb\x16\x2a\x02\xfc\x7f\x2a\x02\xfc\x7f
bytes
\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x98\x11\xbe\xa7\x83\xeb\xfc\xe2\xf4\x64\xf9\xfa\xa7\x98\x11\x35\xe2
  • Metasploit exploit constructs XPM payload with 4200+ bytes of alphanumeric-upper filler followed by SEH overwrite; detect XPM files with abnormally long section header strings
  • Exploit uses SEH-based overwrite technique (pop/pop/ret gadget) at offset 0x10a4 within the evil buffer; monitor for SEH chain corruption when ACDSee or ACDSeeQV processes XPM files
  • Exploit payload uses AlphanumUpper encoder with BadChars \x00 and StackAdjustment of -3500; encoded shellcode in XPM section body will be fully alphanumeric uppercase
  • Crafted XPM file structure starts with '/* XPM */' magic header followed by a static char array declaration; files exploiting this CVE will have this header followed by an oversized buffer
  • ·The RET address 0x10020758 is specific to ACDSee 9.0 Build 1008 only; the exploit will not work against other builds without a different return address
  • ·The 'call ebx' gadget at 0x7C810305 (kernel32) is specific to ACDSee 9.0 (ACDsee9.exe), while the pop/pop/ret gadget works for both ACDsee9.exe and ACDSeeQV.exe
  • ·The proof-of-concept exploit was tested only against Windows XP SP2 FR (French); reliability on other OS versions or service packs is not confirmed
  • ·Metasploit module sets DisablePayloadHandler to true and EXITFUNC to process; the generated file is purely a client-side file-format exploit requiring user interaction to open the XPM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.