cbcvebase.
CVE-2007-3566
published 2007-07-26

CVE-2007-3566: Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 before SP2 allows remote attackers to execute arbitrary code via a…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.08%
99.2th percentile
Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 before SP2 allows remote attackers to execute arbitrary code via a long size value in a create request to port 3050/tcp.

Affected

1 ranges
VendorProductVersion rangeFixed in
borland_softwareinterbase

Detection & IOCsextracted from sources · hover to see the quote

port3050/tcp
processibserver.exe
other0x1002e556 (sanctuarylib.dll RET address, Windows 2000 English All / Borland InterBase 2007)
bytes
\x00\x00\x00\x14\x00\x00\x00\x13
  • Detect exploit attempts by monitoring for TCP connections to port 3050 containing the magic packet header bytes \x00\x00\x00\x14\x00\x00\x00\x13 followed by an anomalously large payload (>1266 bytes of alphanumeric data).
  • Alert on unusually large create-request packets sent to ibserver.exe on port 3050/tcp; the exploit appends ~40000 bytes of padding after the payload.
  • The exploit uses AlphanumUpper-encoded shellcode with a stack-adjustment prepend encoder (\x81\xc4\xff\xef\xff\xff\x44); look for this byte sequence in payloads destined for port 3050.
  • Monitor ibserver.exe for unexpected child process creation or thread injection, as the exploit uses EXITFUNC=thread to maintain stability after exploitation.
  • ·The RET address (0x1002e556 in sanctuarylib.dll) and buffer offset (1266 bytes) are specific to Windows 2000 English All with Borland InterBase 2007; exploitation against other OS versions or patch levels will require different values.
  • ·The vulnerability is patched in Borland InterBase 2007 SP2 and later; detection rules targeting ibserver.exe should be scoped to pre-SP2 deployments.
  • ·The payload space is limited to 850 bytes and null bytes (\x00) are bad characters, constraining the shellcode that can be delivered.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.