cbcvebase.
CVE-2007-2938
published 2007-05-31

CVE-2007-2938: Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used…

PriorityP347critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
40.51%
98.5th percentile
Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used, allows remote attackers to execute arbitrary code via a long argument to the (1) Send485CMD method, and possibly the (2) SetLoginID, (3) AddSite, (4) SetScreen, and (5) SetVideoServer methods.

Affected

2 ranges
VendorProductVersion rangeFixed in
honeywellademco_atnbaseloader100_module
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

filenameATNBaseLoader100.dll
registryEIP = %03%78%41%7e (call ESP user32.dll)
commandcmd /c net user su tzu /add & net localgroup Administrators su /add
otherBaseRunner.Send485CMD with 272-byte 'A' padding + EIP + NOP + SCODE
bytes
%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%37%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%44%58%50%30%41%30%41%6b%41%41%54%42%41%32%41%41%32%42%41%30%42%41%58%38%41%42%50%75%68%69%39%6c%38%68%31%54%43%30%47%70%57%70%4c%4b
  • Monitor for ActiveX method calls to BaseRunner.Send485CMD, SetLoginID, AddSite, SetScreen, or SetVideoServer with abnormally long string arguments (>272 bytes) from Internet Explorer 6 processes.
  • Detect shellcode NOP sled pattern (%90 repeated 12 times) followed by the exploit SCODE blob in network or memory content associated with ATNBaseLoader100.dll.
  • Alert on post-exploitation commands creating a new local user and adding them to the Administrators group, consistent with the embedded payload: 'net user su tzu /add' and 'net localgroup Administrators su /add'.
  • The exploit uses a fixed EIP overwrite value targeting a 'call ESP' gadget in user32.dll; detect stack-pivot/call-ESP ROP patterns in the context of iexplore.exe loading ATNBaseLoader100.dll.
  • ·The vulnerability and exploit are specific to Internet Explorer 6; the ActiveX control ATNBaseLoader100.dll version 5.4.0.6 must be installed and the ActiveX control must be instantiable in the browser for exploitation to succeed.
  • ·The fixed EIP value (%03%78%41%7e) targets a specific 'call ESP' offset in user32.dll; this offset is version/patch-level dependent and may not be reliable across all Windows configurations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.