cbcvebase.
CVE-2007-2888
published 2007-05-30

CVE-2007-2888: Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string…

PriorityP345high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
54.68%
98.9th percentile
Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string (filename) in a .cue file, a related issue to CVE-2007-2761. NOTE: some details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
ezb_systemsultraiso<= 8.6.2.2011

Detection & IOCsextracted from sources · hover to see the quote

filename1.cue
filename1.bin
filenamexpl.cue
filenamexpl.bin
filenamemsf.cue
otherRET 0x00594740 (add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe v8.6.2.2011 portable)
otherRET 0x0059170c (add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe v8.6.0.1936)
otherRET 0x77f84143 (jmp *%esp in system DLL, used in exploit)
otherRET \x43\x41\xf8\x77 (0x77f84143 little-endian, jmp esp)
bytes
\x46\x49\x4c\x45\x20\x22 (FILE ")
bytes
\x81\xc4\x54\xf2\xff\xff (add esp, 0xfffff254 stack pivot prepend encoder)
bytes
Metasploit calc.exe shellcode: \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49...
  • Trigger is a crafted .cue file with a FILE field containing a filename string of 1099+ bytes (overflowing a fixed-size stack buffer); a companion .bin file with the same base name must exist in the same directory.
  • Detect anomalously long FILE field values in .cue files: the exploit uses 1099–1100 'A' (0x41) bytes before the overwritten return address.
  • Opening either the .cue or the .bin file triggers the vulnerability; both files must share the same base name and reside in the same directory.
  • Bad characters for payload encoding are null byte, LF, CR, and double-quote (\x00\x0a\x0d\x22); presence of these in the FILE field of a .cue file is normal, their absence in an otherwise oversized field is suspicious.
  • The Metasploit module prepends a stack-pivot stub (\x81\xc4\x54\xf2\xff\xff) before the payload; scan for this byte sequence inside .cue FILE field content.
  • A jmp-esp gadget at 0x77f84143 (ntdll/kernel32 on XP SP2) is used as the return address; little-endian bytes \x43\x41\xf8\x77 at offset 1099 in the FILE field indicate exploitation.
  • ·Return address offsets differ between UltraISO versions: 0x00594740 for v8.6.2.2011 portable and 0x0059170c for v8.6.0.1936; exploits targeting one version will not work reliably against the other.
  • ·The PoC and exploits were tested on Windows XP Service Pack 2 only; reliability on other Windows versions is not confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.