cbcvebase.
CVE-2007-3605
published 2007-07-06

CVE-2007-3605: Stack-based buffer overflow in the kweditcontrol.kwedit.1 ActiveX control in FrontEnd\SapGui\kwedit.dll in the EnjoySAP SAP GUI allows remote attackers to…

PriorityP355high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
69.91%
99.3th percentile
Stack-based buffer overflow in the kweditcontrol.kwedit.1 ActiveX control in FrontEnd\SapGui\kwedit.dll in the EnjoySAP SAP GUI allows remote attackers to execute arbitrary code via a long argument to the PrepareToPostHTML function.

Detection & IOCsextracted from sources · hover to see the quote

filenameC:\Program Files\SAP\FrontEnd\SapGui\kwedit.dll
pathFrontEnd\SapGui\kwedit.dll
otherkweditcontrol.kwedit.1
versionkwedit.dll 6400.1.1.41
other0x71aa32ad
other0x75022ac4
commandPrepareToPostHTML()
  • Detect ActiveX instantiation of the vulnerable control by its ProgID 'kweditcontrol.kwedit.1' in HTML/script content, particularly followed by a call to PrepareToPostHTML() with a long string argument.
  • The Metasploit exploit builds a buffer of 1036 random alpha bytes followed by a short JMP (Rex::Arch::X86.jmp_short(6)) before the return address — look for oversized strings (~1036+ bytes) passed to PrepareToPostHTML in network traffic or HTML.
  • The exploit payload space is 800 bytes with a stack adjustment of -3500; shellcode embedded in the overly long PrepareToPostHTML argument will exhibit this stack pivot pattern.
  • Monitor for browser-delivered HTML pages that create a JavaScript String of 1000+ characters and pass it directly to an ActiveX object's PrepareToPostHTML method.
  • ·The vulnerable DLL is installed as part of EnjoySAP GUI (SAP GUI for Windows). The control is marked 'Safe for Scripting', meaning it can be invoked from any web page without an ActiveX prompt, broadening the attack surface.
  • ·The Metasploit module targets specific return addresses per OS: Windows XP Pro SP0/SP1 English (0x71aa32ad) and Windows 2000 Pro English All (0x75022ac4). Exploitability on other OS versions/service packs is not confirmed by these sources.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.