CVE-2007-2918
published 2007-06-01CVE-2007-2918: Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4)…
PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
34.06%
98.2th percentile
Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4) ComLink in (c) uicomlink.dll, and (5) WebCamXMP in (d) wcamxmp.dll in Logitech VideoCall allow remote attackers to cause a denial of service (browser crash) and execute arbitrary code via unspecified vectors.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of WebCamXMP (wcamxmp.dll) in browser processes, particularly calls to the Start() method with anomalously long string arguments (>120 bytes). ↗
- →Detect exploit delivery HTML pages containing an object tag referencing the vulnerable ActiveX control followed by a JavaScript call to the Start() method with a large string argument. ↗
- →On Windows XP SP2 English targets, flag RET address 0x7c941eed appearing in stack memory or shellcode context, as this is the hardcoded return address used by the public exploit. ↗
- →Alert on browser crashes (denial of service) involving processes that have loaded vibecontrol.dll, StarClient.dll, uicomlink.dll, or wcamxmp.dll, as all four are listed as vulnerable ActiveX components. ↗
- ·The public Metasploit exploit targets only Windows XP Pro SP2 English with a hardcoded offset of 120 and RET of 0x7c941eed; exploitation against other OS versions or service packs requires a different offset/return address. ↗
- ·The exploit payload space is limited to 800 bytes with a stack adjustment of -3500; payloads exceeding this space or containing null bytes, tabs, newlines, carriage returns, single quotes, or backslashes will fail. ↗
- ·The exploit uses randomized variable and string names in the delivered HTML, meaning static string-based signatures on JavaScript variable names will not reliably detect all instances. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Logitech VideoCall - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-2918 Logitech VideoCall - ActiveX Control Buffer Overflow (Metasploit)
Logitech VideoCall - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: logitechvideocall_start.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Logitech VideoCall ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX
Control (wcamxmp.dll 2.0.3470.448). By sending a overly long string to the
"Start()" method, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version'
Metasploit
Logitech VideoCall ActiveX Control Buffer Overflow
metasploit
Logitech VideoCall ActiveX Control Buffer Overflow
Logitech VideoCall ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Logitech VideoCall ActiveX Control (wcamxmp.dll 2.0.3470.448). By sending an overly long string to the "Start()" method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/36820http://osvdb.org/36821http://osvdb.org/36822http://osvdb.org/36823http://osvdb.org/36824http://secunia.com/advisories/25514http://www.kb.cert.org/vuls/id/330289http://www.securityfocus.com/bid/24254http://www.vupen.com/english/advisories/2007/2018https://exchange.xforce.ibmcloud.com/vulnerabilities/34658http://osvdb.org/36820http://osvdb.org/36821http://osvdb.org/36822http://osvdb.org/36823http://osvdb.org/36824http://secunia.com/advisories/25514http://www.kb.cert.org/vuls/id/330289http://www.securityfocus.com/bid/24254http://www.vupen.com/english/advisories/2007/2018https://exchange.xforce.ibmcloud.com/vulnerabilities/34658
2007-06-01
Published