cbcvebase.
CVE-2007-4790
published 2007-09-10

CVE-2007-4790: Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.91%
98.9th percentile
Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0 Type Library; and Internet Explorer 5.01, 6 SP1 and SP2, and 7; allows remote attackers to execute arbitrary code via a long first argument to the FoxDoCmd function.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftvisual_foxpro

Detection & IOCsextracted from sources · hover to see the quote

filenameFPOLE.OCX
filenameFoxtlib.ocx
versionFPOLE.OCX 6.0.8450.0
  • Trigger condition is a long first argument (300,000 'b' characters) passed to the FoxDoCmd function of the FPOLE.OCX ActiveX control, causing a stack-based buffer overflow.
  • The overflow overwrites EIP and fills the stack with repeated 0x62 ('b') bytes; look for large repeated-byte patterns in memory or network payloads targeting this control.
  • The ActiveX control has KillBitSet=False and implements IObjectSafety reporting safe for untrusted callers, meaning it can be instantiated by untrusted web content without a kill-bit block — monitor for in-browser instantiation of FPOLE.OCX or Foxtlib.ocx.
  • Exploitation is triggered remotely via Internet Explorer (5.01, 6 SP1/SP2, 7) invoking the FoxDoCmd method; monitor IE process spawning child processes after loading pages that reference FPOLE.OCX or Foxtlib.ocx.
  • ·The PoC only demonstrates a crash (EIP overwrite with 'b' bytes); the author notes no working shellcode was developed at time of disclosure, so the exact exploit offset and return address for a weaponized payload are not confirmed in these sources.
  • ·The PoC was tested specifically on Windows XP Professional SP2 fully patched with Internet Explorer 7; behavior on other OS/IE combinations may differ.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.