CVE-2007-3314
published 2007-06-21CVE-2007-3314: Stack-based buffer overflow in peviewer.spl in Altap Servant Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial), and 2.0 with Portable…
PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
43.41%
98.6th percentile
Stack-based buffer overflow in peviewer.spl in Altap Servant Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial), and 2.0 with Portable Executable Viewer 1.00 (English Trial), allows remote attackers to execute arbitrary code via a long PDB debug filename in a PE file.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| altap | portable_executable_viewer | — | — |
| altap | portable_executable_viewer | — | — |
| altap | servant_salamander | — | — |
| altap | servant_salamander | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit appends a '.pdb' extension suffix after the SEH overwrite payload; malicious PE files exploiting this CVE will contain an abnormally long PDB debug filename string (≥1098 bytes of padding before the SEH overwrite) in the PE debug directory. ↗
- →The overflow targets the SEH chain (structured exception handler overwrite) on the stack inside peviewer.spl; detection should look for PE files with a debug PDB path field exceeding normal length limits when processed by Altap Salamander's PE Viewer plugin. ↗
- →The return address used in the exploit points into salrtl.dll (pop ebx; pop eax; ret gadget at 0x23920b59); presence of this address in a stack trace or crash dump is a strong indicator of exploitation. ↗
- →The vulnerable plugin is peviewer.spl; monitor for crashes or abnormal process termination originating from this module when opening PE files. ↗
- ·The Metasploit module sets EXITFUNC to 'process', meaning the host process will terminate after payload execution; post-exploitation forensics should account for process exit masking shellcode activity. ↗
- ·The payload space is limited to 1024 bytes and excludes the bad characters listed; payloads or shellcode containing these bytes will not function correctly in this exploit. ↗
- ·The exploit is classified as a local/fileformat attack requiring user interaction — the victim must open the crafted PE file with the Portable Executable Viewer plugin in a vulnerable Salamander version. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Altap Salamander 2.5 PE Viewer - Local Buffer Overflow (Metasploit)
exploitdb·2010-12-16
CVE-2007-3314 Altap Salamander 2.5 PE Viewer - Local Buffer Overflow (Metasploit)
Altap Salamander 2.5 PE Viewer - Local Buffer Overflow (Metasploit)
---
##
# $Id: altap_salamander_pdb.rb 11353 2010-12-16 20:11:01Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Altap Salamander 2.5 PE Viewer Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Altap Salamander MSF_LICENSE,
'Author' => [ 'patrick' ],
'Version' => '$Revision: 11353 $',
'References' =>
[
[ 'CVE', '2007-3314' ],
[ 'BID', '24557' ],
[ 'OSVDB', '37579' ],
[ 'URL', 'http://vuln.sg/salamander25-en.html' ],
],
'DefaultOptions'
Metasploit
Altap Salamander 2.5 PE Viewer Buffer Overflow
metasploit
Altap Salamander 2.5 PE Viewer Buffer Overflow
Altap Salamander 2.5 PE Viewer Buffer Overflow
This module exploits a buffer overflow in Altap Salamander <= v2.5. By creating a malicious file and convincing a user to view the file with the Portable Executable Viewer plugin within a vulnerable version of Salamander, the PDB file string is copied onto the stack and the SEH can be overwritten.
No writeups or analysis indexed.
http://osvdb.org/37579http://secunia.com/advisories/25732http://vuln.sg/salamander25-en.htmlhttp://www.securityfocus.com/bid/24557http://www.vupen.com/english/advisories/2007/2268https://exchange.xforce.ibmcloud.com/vulnerabilities/34938http://osvdb.org/37579http://secunia.com/advisories/25732http://vuln.sg/salamander25-en.htmlhttp://www.securityfocus.com/bid/24557http://www.vupen.com/english/advisories/2007/2268https://exchange.xforce.ibmcloud.com/vulnerabilities/34938
2007-06-21
Published