CVE-2007-4790
published 2007-09-10CVE-2007-4790: Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.91%
98.9th percentile
Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0 Type Library; and Internet Explorer 5.01, 6 SP1 and SP2, and 7; allows remote attackers to execute arbitrary code via a long first argument to the FoxDoCmd function.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | visual_foxpro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is a long first argument (300,000 'b' characters) passed to the FoxDoCmd function of the FPOLE.OCX ActiveX control, causing a stack-based buffer overflow. ↗
- →The overflow overwrites EIP and fills the stack with repeated 0x62 ('b') bytes; look for large repeated-byte patterns in memory or network payloads targeting this control. ↗
- →The ActiveX control has KillBitSet=False and implements IObjectSafety reporting safe for untrusted callers, meaning it can be instantiated by untrusted web content without a kill-bit block — monitor for in-browser instantiation of FPOLE.OCX or Foxtlib.ocx. ↗
- →Exploitation is triggered remotely via Internet Explorer (5.01, 6 SP1/SP2, 7) invoking the FoxDoCmd method; monitor IE process spawning child processes after loading pages that reference FPOLE.OCX or Foxtlib.ocx. ↗
- ·The PoC only demonstrates a crash (EIP overwrite with 'b' bytes); the author notes no working shellcode was developed at time of disclosure, so the exact exploit offset and return address for a weaponized payload are not confirmed in these sources. ↗
- ·The PoC was tested specifically on Windows XP Professional SP2 fully patched with Internet Explorer 7; behavior on other OS/IE combinations may differ. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-83q2-rwjj-54qx: Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE
ghsa_unreviewed·2022-05-01
CVE-2007-4790 [HIGH] CWE-119 GHSA-83q2-rwjj-54qx: Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE
Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0 Type Library; and Internet Explorer 5.01, 6 SP1 and SP2, and 7; allows remote attackers to execute arbitrary code via a long first argument to the FoxDoCmd function.
Red Hat
tomboy and blam uses insecure LD_LIBRARY_PATH
vendor_redhat·CVSS 6.9
CVE-2005-4790 [MEDIUM] tomboy and blam uses insecure LD_LIBRARY_PATH
tomboy and blam uses insecure LD_LIBRARY_PATH
Multiple untrusted search path vulnerabilities in SUSE Linux 9.3 and 10.0, and possibly other distributions, cause the working directory to be added to LD_LIBRARY_PATH, which might allow local users to execute arbitrary code via (1) beagle, (2) tomboy, or (3) blam. NOTE: in August 2007, the tomboy vector was reported for other distributions.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=120361015026386&w=2http://www.securityfocus.com/bid/25571http://www.securitytracker.com/id?1019378http://www.us-cert.gov/cas/techalerts/TA08-043C.htmlhttp://www.vupen.com/english/advisories/2008/0512/referenceshttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-010https://exchange.xforce.ibmcloud.com/vulnerabilities/36496https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5481https://www.exploit-db.com/exploits/4369http://marc.info/?l=bugtraq&m=120361015026386&w=2http://www.securityfocus.com/bid/25571http://www.securitytracker.com/id?1019378http://www.us-cert.gov/cas/techalerts/TA08-043C.htmlhttp://www.vupen.com/english/advisories/2008/0512/referenceshttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-010https://exchange.xforce.ibmcloud.com/vulnerabilities/36496https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5481https://www.exploit-db.com/exploits/4369
2007-09-10
Published