CVE-2007-2217
published 2007-10-09CVE-2007-2217: Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.41%
98.5th percentile
Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via crafted image files that trigger memory corruption, as demonstrated by a certain .tif (TIFF) file.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
49 49 2A 00 90 3E 00 00
- →Malicious TIFF files exploiting CVE-2007-2217 begin with the little-endian TIFF magic bytes 49 49 2A 00 followed by IFD offset 90 3E 00 00; detect files with this specific header pattern. ↗
- →Crafted TIFF files triggering this vulnerability cause memory corruption; alert on .tif/.tiff files delivered via browser (Internet Explorer) that subsequently cause abnormal process execution or crashes in the Kodak Image Viewer component. ↗
- ·The exploit's EIP-control technique relies on Internet Explorer's fixed ImageBase at 0x00400000 and is therefore only reliable on Windows 2000 SP4 with IE 5.01, IE 5.5, or IE 6.0 SP1; the technique may not work on XP SP2 or Server 2003 where ASLR or differing memory layouts apply. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
exploitdb·2007-11-11
CVE-2007-2217 Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
Microsoft Internet Explorer - TIF/TIFF Code Execution (MS07-055)
---
#!/usr/bin/perl
#
# Microsoft Internet Explorer TIF/TIFF Code Execution (MS07-055)
#
# Author: grabarz
#
# Note: This exploit is modified from Hong Gil-Dong, Jeon Woo-chi PoC
# (http://www.milw0rm.com/exploits/4584)
#
# Internet Explorer has standart ImageBase address and PE Win32 header
# is started at 0x00400000 in memory. So memory cell at the address
# 0x00400008 contains the short value 0x0004 and at the address
# 0x00400011 it contains the long value 0x00000000 in any case.
# I used these addresses for generating of TIFF-file that uses
# vulnerability and for controling of EIP.
#
# This exploit tested on:
# - Windows 2000 SP4 + IE5.01
# - Windows 2000 SP4 + IE5.5
# - Windows 2000 SP4 + IE6.0 SP1
#
# Credit: Hong G
Exploit-DB
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
exploitdb·2007-10-29
CVE-2007-2217 Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
Kodak Image Viewer - TIF/TIFF Code Execution (MS07-055)
---
/* MS07-055 Kodak Image Viewer TIF/TIFF Code Execution Proof Of Concept
by Hong Gil-Dong, Jeon Woo-chi
* Hwang-Hee(?~1542), Prime Minister in Korea
* Once upon a time, One servant of Hwang-Hee was arguing with another
* servant. they asked Hwang-Hee to judge who is right.
* Hwang-Hee listend their story, and said "Both are right".
* We tested this code on Windows 2000 SP4 Korean Edition.
* But if you change some parts of this code, you can also execute an
* arbitrary code in other systems.
* - Caution -
* First, execute the Kodak Image Viewer and then open the ms07-005.tif
* file. If you click the ms07-005.tif file directly in explorer,
* sometimes it causes not excution but just crash.
*/
#include
#define TIF_FILE "ms07-055
No writeups or analysis indexed.
http://secunia.com/advisories/27092http://securitytracker.com/id?1018784http://www.kb.cert.org/vuls/id/180345http://www.securityfocus.com/archive/1/482366/100/0/threadedhttp://www.securityfocus.com/bid/25909http://www.us-cert.gov/cas/techalerts/TA07-282A.htmlhttp://www.vupen.com/english/advisories/2007/3435https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-055https://exchange.xforce.ibmcloud.com/vulnerabilities/36799https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1481https://www.exploit-db.com/exploits/4584http://secunia.com/advisories/27092http://securitytracker.com/id?1018784http://www.kb.cert.org/vuls/id/180345http://www.securityfocus.com/archive/1/482366/100/0/threadedhttp://www.securityfocus.com/bid/25909http://www.us-cert.gov/cas/techalerts/TA07-282A.htmlhttp://www.vupen.com/english/advisories/2007/3435https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-055https://exchange.xforce.ibmcloud.com/vulnerabilities/36799https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1481https://www.exploit-db.com/exploits/4584
2007-10-09
Published