cbcvebase.
CVE-2007-2584
published 2007-05-10

CVE-2007-2584: Buffer overflow in the IsOldAppInstalled function in the McSubMgr.McSubMgr Subscription Manager ActiveX control (MCSUBMGR.DLL) in McAfee SecurityCenter before…

PriorityP353critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
9.74%
94.9th percentile
Buffer overflow in the IsOldAppInstalled function in the McSubMgr.McSubMgr Subscription Manager ActiveX control (MCSUBMGR.DLL) in McAfee SecurityCenter before 6.0.25 and 7.x before 7.2.147 allows remote attackers to execute arbitrary code via a crafted argument.

Affected

10 ranges
VendorProductVersion rangeFixed in
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeesecurity_center
mcafeesecuritycenter_agent
mcafeevirusscan
mcafeevirusscan
mcafeevirusscan

Detection & IOCsextracted from sources · hover to see the quote

filenameMCSUBMGR.DLL
otherheapSprayToAddress = 0x05050505
versionMcsubmgr.dll 6.0.0.15
  • Monitor for instantiation of the McSubMgr.McSubMgr ActiveX control (MCSUBMGR.DLL) from a browser context, particularly calls to the IsOldAppInstalled method with an oversized argument.
  • Flag delivery of HTML files containing the downloader shellcode byte sequence starting with EB 10 5B 4B 33 C9 66 B9 3C 01 80 34 0B 99 E2 FA, XOR-encoded with key 0x99.
  • The exploit generates a file named McAfee_exploit.html; presence of this filename on disk or in web server logs is a strong indicator of exploitation activity.
  • ·The exploit requires the target to be running McAfee SecurityCenter before version 6.0.25 or 7.x before 7.2.147 with MCSUBMGR.DLL present and registered as an ActiveX control; patched versions are not vulnerable.
  • ·The proof-of-concept shellcode is a downloader that fetches a secondary payload from an attacker-supplied URL (http:// or ftp://); the actual malicious binary is not embedded and varies per attacker.
  • ·The exploit was tested specifically on Windows 2000 with MCSUBMGR.DLL version 6.0.0.15; reliability on other OS/DLL version combinations is unknown.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.