cbcvebase.
CVE-2007-2918
published 2007-06-01

CVE-2007-2918: Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4)…

PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
34.06%
98.2th percentile
Multiple stack-based buffer overflows in ActiveX controls (1) VibeC in (a) vibecontrol.dll, (2) CallManager and (3) ViewerClient in (b) StarClient.dll, (4) ComLink in (c) uicomlink.dll, and (5) WebCamXMP in (d) wcamxmp.dll in Logitech VideoCall allow remote attackers to cause a denial of service (browser crash) and execute arbitrary code via unspecified vectors.

Detection & IOCsextracted from sources · hover to see the quote

filenamewcamxmp.dll
filenamevibecontrol.dll
filenameStarClient.dll
filenameuicomlink.dll
versionwcamxmp.dll 2.0.3470.448
other0x7c941eed
commandStart()
  • Monitor for ActiveX instantiation of WebCamXMP (wcamxmp.dll) in browser processes, particularly calls to the Start() method with anomalously long string arguments (>120 bytes).
  • Detect exploit delivery HTML pages containing an object tag referencing the vulnerable ActiveX control followed by a JavaScript call to the Start() method with a large string argument.
  • On Windows XP SP2 English targets, flag RET address 0x7c941eed appearing in stack memory or shellcode context, as this is the hardcoded return address used by the public exploit.
  • Alert on browser crashes (denial of service) involving processes that have loaded vibecontrol.dll, StarClient.dll, uicomlink.dll, or wcamxmp.dll, as all four are listed as vulnerable ActiveX components.
  • ·The public Metasploit exploit targets only Windows XP Pro SP2 English with a hardcoded offset of 120 and RET of 0x7c941eed; exploitation against other OS versions or service packs requires a different offset/return address.
  • ·The exploit payload space is limited to 800 bytes with a stack adjustment of -3500; payloads exceeding this space or containing null bytes, tabs, newlines, carriage returns, single quotes, or backslashes will fail.
  • ·The exploit uses randomized variable and string names in the delivered HTML, meaning static string-based signatures on JavaScript variable names will not reliably detect all instances.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.