CVE-2007-2238
published 2009-04-16CVE-2007-2238: Multiple stack-based buffer overflows in the Whale Client Components ActiveX control (WhlMgr.dll), as used in Microsoft Intelligent Application Gateway (IAG)…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
45.53%
98.6th percentile
Multiple stack-based buffer overflows in the Whale Client Components ActiveX control (WhlMgr.dll), as used in Microsoft Intelligent Application Gateway (IAG) before 3.7 SP2, allow remote attackers to execute arbitrary code via long arguments to the (1) CheckForUpdates or (2) UpdateComponents methods.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | intelligent_application_gateway_2007 | <= 3.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect instantiation of the vulnerable ActiveX ProgID 'ComponentManager.Installer.1' in browser scripts, which is the attack vector for this exploit. ↗
- →Monitor for heap spray targeting address 0x0a0a0a0a with a block size of 0x40000, a pattern characteristic of this exploit's JavaScript heap spray. ↗
- →Alert on calls to CheckForUpdates() or UpdateComponents() methods of WhlMgr.dll (ComponentManager.Installer.1 ActiveX) with abnormally long string arguments, indicative of stack buffer overflow exploitation. ↗
- →The exploit uses JavaScript obfuscation (ObfuscateJS) and unescape-encoded shellcode delivery; inspect browser traffic for unescape() patterns combined with ActiveXObject instantiation of ComponentManager.Installer.1. ↗
- ·The Metasploit module's Ret value for the sole target (Windows XP SP0-SP3 / Vista / IE 6-7) is empty in the source, meaning a reliable return address may need to be supplied or resolved dynamically; detections based on a fixed return address will not be reliable. ↗
- ·The JavaScript payload and variable names are obfuscated at runtime via ObfuscateJS, so static string-based signatures on variable names (e.g., 'evil_string', 'shellcode') will not match obfuscated delivery. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Whale Intelligent Application Gateway - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-2238 Microsoft Whale Intelligent Application Gateway - ActiveX Control Buffer Overflow (Metasploit)
Microsoft Whale Intelligent Application Gateway - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: mswhale_checkforupdates.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application
Gateway Whale Client. When sending an overly long string to CheckForUpdates()
method of WhlMgr.dll (3.1.502.64) an attacker may be able t
Metasploit
Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
metasploit
Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
Microsoft Whale Intelligent Application Gateway ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Microsoft Whale Intelligent Application Gateway Whale Client. When sending an overly long string to CheckForUpdates() method of WhlMgr.dll (3.1.502.64) an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/34725http://www.kb.cert.org/vuls/id/789121http://www.securityfocus.com/bid/34532http://www.vupen.com/english/advisories/2009/1061https://exchange.xforce.ibmcloud.com/vulnerabilities/49888http://secunia.com/advisories/34725http://www.kb.cert.org/vuls/id/789121http://www.securityfocus.com/bid/34532http://www.vupen.com/english/advisories/2009/1061https://exchange.xforce.ibmcloud.com/vulnerabilities/49888
2009-04-16
Published