cbcvebase.
CVE-2007-2987
published 2007-06-01

CVE-2007-2987: Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
32.70%
98.1th percentile
Multiple buffer overflows in certain ActiveX controls in sasatl.dll in Zenturi ProgramChecker allow remote attackers to execute arbitrary code via unspecified vectors, possibly involving the (1) DebugMsgLog or (2) DoFileProperties methods.

Affected

2 ranges
VendorProductVersion rangeFixed in
zenturizenturi_programchecker
zenturizenturi_programchecker

Detection & IOCsextracted from sources · hover to see the quote

filenamesasatl.dll
versionsasatl.dll 1.5.0.531
commandDownloadFile
commandDebugMsgLog
commandScan()
otherheapSprayToAddress = 0x0c0c0c0c
bytes
%AA%A2%39%7E
  • Monitor ActiveX instantiation of sasatl.dll (version 1.5.0.531) in browser processes; calls to DownloadFile method dropping executables to Startup folder are indicative of exploitation.
  • Detect heap spray pattern targeting address 0x0c0c0c0c with NOP sled (%u9090%u9090) in browser memory, characteristic of the Scan() method exploit.
  • Detect use of DebugMsgLog method on the sasatl.dll ActiveX control with oversized buffer arguments (838+ 'A' characters) followed by a return address, indicating stack-based buffer overflow exploitation.
  • The Metasploit exploit module serves a malicious HTML page with Content-Type application/octet-stream for the payload stage; detect HTTP responses of this type originating from exploit infrastructure.
  • ·The CVE-2007-2987 vulnerability is specifically tied to sasatl.dll version 1.5.0.531; other versions may not be affected by the DownloadFile/arbitrary file write vector.
  • ·CVE-2007-3703 (Fill method stack overflow in sasatl.dll 1.5.0.531) is noted as a distinct issue from CVE-2007-2987; do not conflate the two when writing detection rules.
  • ·The PoC exploits were tested specifically on Windows XP Professional SP2 with Internet Explorer 7; detection coverage on other platforms may vary.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.