cbcvebase.
CVE-2007-4474
published 2007-12-27

CVE-2007-4474: Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.18%
98.6th percentile
Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in Domino 6.x and 7.x allow remote attackers to execute arbitrary code, as demonstrated by an overflow from a long General_ServerName property value when calling the InstallBrowserHelperDll function in the Upload Module in the dwa7.dwa7.1 control in dwa7w.dll 7.0.34.1.

Affected

17 ranges
VendorProductVersion rangeFixed in
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmdomino_web_access
ibmlotus_domino_web_access
ibmlotus_domino_web_access

Detection & IOCsextracted from sources · hover to see the quote

filenameinotes6.dll
filenameinotes6w.dll
filenamedwa7.dll
filenamedwa7w.dll
versiondwa7w.dll 7.0.34.1
otherdwa7.dwa7.1 (ActiveX ProgID)
commandGeneral_ServerName() property — overly long string triggers stack buffer overflow
commandInstallBrowserHelperDll function call with long General_ServerName property
bytes
0x0C0C0C0C (heap spray return address, Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0)
bytes
Alpha2-encoded shellcode prefix: %u03eb%ueb59%ue805%ufff8%uffff (win32_exec calc.exe)
bytes
Alpha2-encoded shellcode prefix: %u03eb%ueb59%ue805%ufff8%uffff (win32_bind LPORT=4444)
  • Detect ActiveX instantiation of the vulnerable ProgID 'dwa7.dwa7.1' in browser context, which corresponds to the vulnerable dwa7w.dll Upload Module control.
  • Monitor for heap spray patterns using the 0x0C0C0C0C address in browser processes (iexplore.exe) targeting Windows XP with IE 6/7, indicative of exploitation of this vulnerability.
  • Detect JavaScript heap spray using unescape() with large NOP sleds (%u9090%u9090) combined with Alpha2-encoded shellcode (%u03eb%ueb59%ue805%ufff8%uffff) in HTML pages, a hallmark of this exploit's delivery mechanism.
  • Alert on calls to InstallBrowserHelperDll from the IBM Lotus Domino Web Access ActiveX controls (inotes6.dll, inotes6w.dll, dwa7.dll, dwa7w.dll) with unusually long string arguments passed to General_ServerName.
  • ·The Metasploit module randomizes all JavaScript variable names on each request, so static variable-name-based signatures will not reliably detect this exploit.
  • ·The exploit targets only Windows XP SP0-SP2 with IE 6.0 SP0-2 and IE 7.0 English; the heap spray return address 0x0C0C0C0C is platform-specific and may not apply to other OS/browser combinations.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.