CVE-2007-2938
published 2007-05-31CVE-2007-2938: Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used…
PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
40.51%
98.5th percentile
Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used, allows remote attackers to execute arbitrary code via a long argument to the (1) Send485CMD method, and possibly the (2) SetLoginID, (3) AddSite, (4) SetScreen, and (5) SetVideoServer methods.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| honeywell | ademco_atnbaseloader100_module | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b
- →Monitor for ActiveX method calls to BaseRunner.Send485CMD, SetLoginID, AddSite, SetScreen, or SetVideoServer with abnormally long string arguments (>272 bytes) from Internet Explorer 6 processes. ↗
- →Detect shellcode NOP sled pattern (%90 repeated 12 times) followed by the exploit SCODE blob in network or memory content associated with ATNBaseLoader100.dll. ↗
- →Alert on post-exploitation commands creating a new local user and adding them to the Administrators group, consistent with the embedded payload: 'net user su tzu /add' and 'net localgroup Administrators su /add'. ↗
- →The exploit uses a fixed EIP overwrite value targeting a 'call ESP' gadget in user32.dll; detect stack-pivot/call-ESP ROP patterns in the context of iexplore.exe loading ATNBaseLoader100.dll. ↗
- ·The vulnerability and exploit are specific to Internet Explorer 6; the ActiveX control ATNBaseLoader100.dll version 5.4.0.6 must be installed and the ActiveX control must be instantiable in the browser for exploitation to succeed. ↗
- ·The fixed EIP value (%03%78%41%7e) targets a specific 'call ESP' offset in user32.dll; this offset is version/patch-level dependent and may not be reliable across all Windows configurations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/36700http://secunia.com/advisories/25430http://www.securityfocus.com/bid/24172http://www.vupen.com/english/advisories/2007/1958https://exchange.xforce.ibmcloud.com/vulnerabilities/34548https://www.exploit-db.com/exploits/3993http://osvdb.org/36700http://secunia.com/advisories/25430http://www.securityfocus.com/bid/24172http://www.vupen.com/english/advisories/2007/1958https://exchange.xforce.ibmcloud.com/vulnerabilities/34548https://www.exploit-db.com/exploits/3993
2007-05-31
Published