cbcvebase.
CVE-2007-2222
published 2007-06-12

CVE-2007-2222: Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
57.52%
99.0th percentile
Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01, 6, and 7, allow remote attackers to execute arbitrary code via a crafted ActiveX object that triggers memory corruption, as demonstrated via the ModeName parameter to the FindEngine function in ACTIVEVOICEPROJECTLib.DirectSS.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenameXlisten.dll
filenameXvoice.dll
pathC:\WINNT\speech\XVoice.dll
otherACTIVEVOICEPROJECTLib.DirectSS
other0x007d0023 (call edi)
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70
bytes
%6E%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%6e%40%06%90%90%90%90%90%90%90%fc%e4%22%eb%5e%31%ad%c3%c0%f7%e8%ff%ff%af%1a%30%5f%bb%5a%bd%ee%a5%ae%d4%19%e3%9b%3a%05%b9%42%03%a7%41%4c%11%a9%7c%ee%7f%77%8c%f3%90%e8%b4%ef%4c%d4%8c%d4%99%e4%5d%08%1e%9a%82%17%b3%21%43%31%44%5a%1b%6d%f5%69%39%d9%c4%38%50%43%af%44%cc%df%76%7a%57%a5%c2%85%7e%b7%f3%18%d3%39%70%9f%16%94%aa%37%5f%c5%ea%0a%70%23%10%c0%83%47%37%eb%97%6a%b3%6c%3c%6c
  • Exploit triggers via the ModeName parameter to ACTIVEVOICEPROJECTLib.DirectSS.FindEngine — monitor ActiveX instantiation of this ProgID and oversized ModeName arguments
  • XP SP2 exploit uses a 888-byte 'A' padding buffer before EBP/EIP overwrite in ModeName; Win2000 SP4 exploit uses 950-byte 'A' padding — detect abnormally large ModeName strings passed to FindEngine
  • Win2000 SP4 exploit uses SEH overwrite with return address 0x007d0023 (call edi) located in XVoice.dll — monitor for SEH chain corruption in processes hosting this ActiveX
  • Exploit uses ModeID filled with ~199544 NOP bytes followed by shellcode — detect heap spray of large NOP sleds in browser processes loading Xvoice.dll or Xlisten.dll
  • Multiple large string buffers (9,999,999 chars each) are allocated for heap spray — detect allocation of multiple near-10MB string objects in scripting engine context
  • Target DLL for Win2000 SP4 is C:\WINNT\speech\XVoice.dll — alert on loading of this module into iexplore.exe or other browser processes
  • ·Two separate exploit payloads exist: one targeting Windows XP SP2 (exploit 4066) and one targeting Windows 2000 SP4 (exploit 4065) — shellcode, NOP sled construction, and return addresses differ between the two; detection signatures must account for both variants
  • ·The Win2000 SP4 exploit uses a UNICODE-aware NOP sled technique (add byte ptr esi, ch as NOP; xchg eax, edi) rather than standard 0x90 NOPs — byte-pattern signatures based solely on 0x90 NOP sleds will miss this variant
  • ·The XP SP2 exploit EIP value (%01%0a) is described as 'jmp to scode, UNICODE expanded' — the actual jump target is UNICODE-expanded at runtime, so static EIP value matching may not be reliable across all environments
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.