CVE-2007-2919
published 2007-06-06CVE-2007-2919: Multiple stack-based buffer overflows in the FViewerLoading ActiveX control (FlipViewerX.dll) in E-Book Systems FlipViewer before 4.1 allow remote attackers to…
PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.72%
98.2th percentile
Multiple stack-based buffer overflows in the FViewerLoading ActiveX control (FlipViewerX.dll) in E-Book Systems FlipViewer before 4.1 allow remote attackers to cause a denial of service (crash) or execute arbitrary code via long (1) UID, (2) Opf, (3) PAGENO, (4) LaunchMode, (5) SubID, (6) BookID, (7) LibraryID, (8) SubURL, and (9) LoadOpf properties.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| e-book_systems | flipviewer | <= 4.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting the FViewerLoading ActiveX control (CLSID embedded in HTML) via unusually long string values passed to properties: UID, Opf, PAGENO, LaunchMode, SubID, BookID, LibraryID, SubURL, or LoadOpf. ↗
- →The Metasploit exploit uses a heap-spray technique with a return address of 0x0A0A0A0A; monitor for this value in memory or network payloads targeting IE 6/7 on Windows XP/Vista. ↗
- →The exploit delivers a malicious HTML page containing JavaScript heap spray (unescape NOP sleds + shellcode) combined with an ActiveX object instantiation of FlipViewerX.dll; inspect HTTP responses for this pattern. ↗
- →The exploit payload space is 1024 bytes with null byte as the only bad character; shellcode delivered via URI-encoded heap spray in browser context. ↗
- ·The Metasploit module targets only FlipViewer 4.0 and was tested on Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7; exploitation against other versions or platforms is not confirmed. ↗
- ·The exploit uses randomized JavaScript variable names (rand_text_alpha) to evade static signature detection; pattern-based detection on variable names alone will be unreliable. ↗
- ·EXITFUNC is set to 'process', meaning the shellcode will terminate the entire process on exit rather than just the thread; post-exploitation forensics should account for process termination. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FlipViewer FViewerLoading - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-2919 FlipViewer FViewerLoading - ActiveX Control Buffer Overflow (Metasploit)
FlipViewer FViewerLoading - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: ebook_flipviewer_fviewerloading.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0.
The vulnerability is caused due to a boundary error in the
FViewerLoading (FlipViewerX.dll) ActiveX control when handling the
"LoadOpf()" method.
},
'License' => BSD_LICENSE,
'Author
Metasploit
FlipViewer FViewerLoading ActiveX Control Buffer Overflow
metasploit
FlipViewer FViewerLoading ActiveX Control Buffer Overflow
FlipViewer FViewerLoading ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in E-BOOK Systems FlipViewer 4.0. The vulnerability is caused due to a boundary error in the FViewerLoading (FlipViewerX.dll) ActiveX control when handling the "LoadOpf()" method.
No writeups or analysis indexed.
http://osvdb.org/37042http://secunia.com/advisories/25568http://www.kb.cert.org/vuls/id/449089http://www.securityfocus.com/bid/24328http://www.vupen.com/english/advisories/2007/2081https://exchange.xforce.ibmcloud.com/vulnerabilities/34742http://osvdb.org/37042http://secunia.com/advisories/25568http://www.kb.cert.org/vuls/id/449089http://www.securityfocus.com/bid/24328http://www.vupen.com/english/advisories/2007/2081https://exchange.xforce.ibmcloud.com/vulnerabilities/34742
2007-06-06
Published