CVE-2007-4748
published 2007-09-06CVE-2007-4748: Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.
PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
7.21%
93.5th percentile
Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ppstream | ppstream | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
E8 00 00 00 00 6A 03 EB 21 7E D8 E2 73 98 FE 8A 0E 8E 4E 0E EC 55 52 4C 4D 4F 4E 00 00 36 1A 2F 70 63 3A 5C 63 2E 65 78 65 00
- →The exploit triggers a buffer overflow via a long 'Logo' parameter passed to the PowerPlayer.dll ActiveX control. Monitor for unusually long string values supplied to this ActiveX control's Logo property. ↗
- →Shellcode embeds the string 'pc:\c.exe' (encoded as bytes 0x70 0x63 0x3A 0x5C 0x63 0x2E 0x65 0x78 0x65), indicating the payload drops or executes a file at that path. Monitor for creation or execution of c.exe. ↗
- →Shellcode contains the encoded string 'URLMON' (0x55 0x52 0x4C 0x4D 0x4F 0x4E), suggesting it uses URLDownloadToFile or similar URLMON API to fetch a remote payload. ↗
- ·The shellcode hardcodes a target address region (0x004010DB / 0x0040104E area) for the heap spray return address, meaning the exploit is tuned to a specific memory layout of PPStream 2.0.1.3829 and may not work against other versions. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5qhj-mc5r-v576: Buffer overflow in the PowerPlayer
ghsa_unreviewed·2022-05-01
CVE-2007-4748 [MEDIUM] CWE-119 GHSA-5qhj-mc5r-v576: Buffer overflow in the PowerPlayer
Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.
VulnCheck
ppstream ppstream Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 6.8
CVE-2007-4748 [MEDIUM] ppstream ppstream Improper Restriction of Operations within the Bounds of a Memory Buffer
ppstream ppstream Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter.
Affected: ppstream ppstream
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://betanews.com/2008/05/19/ten-thousand-servers-hit-in-sql-injection-hack/
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/38421http://www.securityfocus.com/bid/25502https://exchange.xforce.ibmcloud.com/vulnerabilities/36394https://www.exploit-db.com/exploits/4348http://osvdb.org/38421http://www.securityfocus.com/bid/25502https://exchange.xforce.ibmcloud.com/vulnerabilities/36394https://www.exploit-db.com/exploits/4348
2007-09-06
Published
Exploited in the wild