cbcvebase.
CVE-2007-3147
published 2007-06-11

CVE-2007-3147: Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary…

PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.37%
98.5th percentile
Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.

Affected

6 ranges
VendorProductVersion rangeFixed in
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger

Detection & IOCsextracted from sources · hover to see the quote

filenameywcupl.dll
other0x71aa32ad
other0x75022ac4
filenameClick_here.html
bytes
%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC%uCC4A%uD0FF
  • The vulnerable ActiveX control is ywcupl.dll (CLSID instantiation via browser). Detect instantiation of this control in web content or process loading of ywcupl.dll into a browser process.
  • Exploit triggers by setting an overly long string (>1032 bytes) to the Server() method of the ActiveX control, then calling Send(). Monitor for unusually long property assignments followed by a Send() call on this control.
  • Exploit offset is 1032 bytes before the return address overwrite. A buffer of exactly this size preceding shellcode is a reliable signature in network/memory captures.
  • The exploit HTML file generated by the PoC tool is named Click_here.html and contains the heap spray and ActiveX trigger. Filename can be used as a low-confidence indicator.
  • ·Return addresses are platform-specific; 0x71aa32ad targets Windows XP SP0/SP1 Pro English and 0x75022ac4 targets Windows 2000 Pro English All. Detections based on these RET values will not fire on other OS versions.
  • ·The Metasploit module randomizes the variable names in the generated exploit HTML, reducing reliability of static string-based signatures against the JS variable names.
  • ·Payload space is limited to 800 bytes with bad characters \x00\x09\x0a\x0d and quotes/backslashes excluded; shellcode detection signatures must account for this encoding constraint.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.