cbcvebase.
CVE-2007-3314
published 2007-06-21

CVE-2007-3314: Stack-based buffer overflow in peviewer.spl in Altap Servant Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial), and 2.0 with Portable…

PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
43.41%
98.6th percentile
Stack-based buffer overflow in peviewer.spl in Altap Servant Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial), and 2.0 with Portable Executable Viewer 1.00 (English Trial), allows remote attackers to execute arbitrary code via a long PDB debug filename in a PE file.

Affected

4 ranges
VendorProductVersion rangeFixed in
altapportable_executable_viewer
altapportable_executable_viewer
altapservant_salamander
altapservant_salamander

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf-salamander-pdb.exe
other0x23920b59
  • The exploit appends a '.pdb' extension suffix after the SEH overwrite payload; malicious PE files exploiting this CVE will contain an abnormally long PDB debug filename string (≥1098 bytes of padding before the SEH overwrite) in the PE debug directory.
  • The overflow targets the SEH chain (structured exception handler overwrite) on the stack inside peviewer.spl; detection should look for PE files with a debug PDB path field exceeding normal length limits when processed by Altap Salamander's PE Viewer plugin.
  • The return address used in the exploit points into salrtl.dll (pop ebx; pop eax; ret gadget at 0x23920b59); presence of this address in a stack trace or crash dump is a strong indicator of exploitation.
  • The vulnerable plugin is peviewer.spl; monitor for crashes or abnormal process termination originating from this module when opening PE files.
  • ·The Metasploit module sets EXITFUNC to 'process', meaning the host process will terminate after payload execution; post-exploitation forensics should account for process exit masking shellcode activity.
  • ·The payload space is limited to 1024 bytes and excludes the bad characters listed; payloads or shellcode containing these bytes will not function correctly in this exploit.
  • ·The exploit is classified as a local/fileformat attack requiring user interaction — the victim must open the crafted PE file with the Portable Executable Viewer plugin in a vulnerable Salamander version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.