CVE-2007-2761
published 2007-05-18CVE-2007-2761: Stack-based buffer overflow in MagicISO 5.4 build 239 and earlier allows remote attackers to execute arbitrary code via a long filename in a .cue file.
PriorityP337high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
6.12%
92.5th percentile
Stack-based buffer overflow in MagicISO 5.4 build 239 and earlier allows remote attackers to execute arbitrary code via a long filename in a .cue file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ezb_systems | ultraiso | <= 8.6.2.2011 | — |
| magiciso | magiciso | <= 5.4_build_239 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p8pr-h875-42wj: Stack-based buffer overflow in UltraISO 8
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-2888 [HIGH] GHSA-p8pr-h875-42wj: Stack-based buffer overflow in UltraISO 8
Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string (filename) in a .cue file, a related issue to CVE-2007-2761. NOTE: some details are obtained from third party information.
GHSA
GHSA-x26v-vj6m-f8j8: Stack-based buffer overflow in MagicISO 5
ghsa_unreviewed·2022-05-01
CVE-2007-2761 [HIGH] GHSA-x26v-vj6m-f8j8: Stack-based buffer overflow in MagicISO 5
Stack-based buffer overflow in MagicISO 5.4 build 239 and earlier allows remote attackers to execute arbitrary code via a long filename in a .cue file.
No detection rules found.
Exploit-DB
MagicISO 5.4 (build239) - '.cue' File Local Buffer Overflow
exploitdb·2007-05-23
CVE-2007-2761 MagicISO 5.4 (build239) - '.cue' File Local Buffer Overflow
MagicISO 5.4 (build239) - '.cue' File Local Buffer Overflow
---
/*
-- poc/demo for magiciso exploit, found by n00b
-- by: [email protected]
-- original email reply comments:
I actually looked into this when you posted this on milw0rm. I was able to get it to run arbitrary code, however it was so unreliable it wasn't worth me posting... however, it was informative.
you have control of several registers, however it's eax and edx(not ecx) that are most interesting... the next instructions that get called(and fault magiciso) are:
MOV DWORD PTR DS:[EDX],EAX
MOV DWORD PTR DS:[EAX+4],EDX
...now, with that you can overwrite any 4byte area in memory with anything you want. the problem is you can't use null bytes(which is where the shellcode and the current SEH handler is(non-PEB)) in this situa
Exploit-DB
MagicISO 5.4 (build239) - '.cue' Heap Overflow (PoC)
exploitdb·2007-05-17
CVE-2007-2761 MagicISO 5.4 (build239) - '.cue' Heap Overflow (PoC)
MagicISO 5.4 (build239) - '.cue' Heap Overflow (PoC)
---
#!/usr/bin/env ruby
###################################
#Credits to n00b for finding this bug.
#Magic iso has a stacked based buffer over-flow when
#We pass an overly-long file name inside the .cue file
#We are able to control alot of the registers so
#Command execution is possible,But im still learning
#Which means this will get released as a dos poc for
#now till i can get the help i need..Any way i will provide
#The dubug info for you to see for your self..If any one
#Decides to write a Local exploit for this please give
#Credits to n00b..Ok on with the work of info collecting.
#Vendor : http://www.magiciso.com/
#Tested on win xp sp2.
#I would also like to thank the people i emailed and pm about this
#Shouts: ~ Str0ke ~ Marsu ~
No writeups or analysis indexed.
http://osvdb.org/36077http://secunia.com/advisories/25325http://www.securityfocus.com/archive/1/469302/100/0/threadedhttp://www.securityfocus.com/bid/24029http://www.vupen.com/english/advisories/2007/1865https://exchange.xforce.ibmcloud.com/vulnerabilities/34346https://www.exploit-db.com/exploits/3945http://osvdb.org/36077http://secunia.com/advisories/25325http://www.securityfocus.com/archive/1/469302/100/0/threadedhttp://www.securityfocus.com/bid/24029http://www.vupen.com/english/advisories/2007/1865https://exchange.xforce.ibmcloud.com/vulnerabilities/34346https://www.exploit-db.com/exploits/3945
2007-05-18
Published