CVE-2007-4916
published 2007-09-17CVE-2007-4916: Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in Microsoft Foundation Class…
PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.67%
97.1th percentile
Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in Microsoft Foundation Class (MFC) Library 8.0, as used by the ListFiles method in hpqutil.dll 2.0.0.138 in Hewlett-Packard (HP) All-in-One and Photo & Imaging Gallery 1.1 and probably other products, allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long first argument.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | photo_and_imaging_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
73d6cd4b 6840010000 push 140h
- →Monitor for ActiveX instantiation of CLSID F3F381A3-4795-41FF-8190-7AA2A8102F85 (hpqutil.dll) in browser processes; exploitation requires this control to be loaded via a crafted web page. ↗
- →Detect calls to the ListFiles method on hpqutil.dll with arguments of 320+ bytes (buffer is only 320/0x140 bytes); a 620-byte 'A'-string argument is the PoC trigger. ↗
- →Look for access violations or heap corruption originating from MFC42!_imp__lstrcpyA (address 73df61d0) called within MFC42!CFileFind::FindFile+0x2b, indicative of the overflow being triggered. ↗
- →Alert on Internet Explorer crashes or access violations in MFC42.dll/MFC42u.dll/MFC71.dll/MFC71u.dll stack frames when hpqutil.dll is loaded, as exploitation crashes IE and may precede code execution attempts. ↗
- ·The PoC was tested specifically on Windows XP Spanish with SP2; behavior on other Windows versions or service packs may differ. ↗
- ·Exploitation via the web requires ActiveX to be enabled in Internet Explorer; environments with ActiveX disabled or kill-bit set for the CLSID are not exploitable via this vector. ↗
- ·The vulnerability is also present in the MFC library itself (MFC42.dll, MFC42u.dll, MFC71.dll, MFC71u.dll), meaning other applications using CFileFind::FindFile with long user-controlled input may also be affected beyond hpqutil.dll. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft MFC Library - CFileFind::FindFile Buffer Overflow
exploitdb·2007-09-14
CVE-2007-4916 Microsoft MFC Library - CFileFind::FindFile Buffer Overflow
Microsoft MFC Library - CFileFind::FindFile Buffer Overflow
---
source: https://www.securityfocus.com/bid/25697/info
The CFileFind::FindFile method in the MFC library for Microsoft Windows is prone to a buffer-overflow vulnerability because the method fails to perform adequate boundary checks of user-supplied input.
Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of applications that use the vulnerable method.
The MFC library included with Microsoft Windows XP SP2 is affected; other versions may also be affected.
This issue also occurs in the 'hpqutil.dll' ActiveX control identified by CLSID: F3F381A3-4795-41FF-8190-7AA2A8102F85.
sub OuCh()
Var_0 = String(620, "A")
pAF.ListFiles Var_0
End Sub
Exploit-DB
HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)
exploitdb·2007-09-14
CVE-2007-4916 HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)
HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)
---
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
ActiveX hpqutil!ListFiles hpqutil.dll - Remote heap overflow.
Internal ID: VULWAR200706041
introduction
GOODFELLAS security research team has found a bug in a dll included in at
least the following HP products:
* HP All-in-One Series Web Release
* HP Photo & Imaging Gallery version 1.1
The affected dll is called hpqutil.dll at least in it's version 2.0.0.138 in
English, and specifically the problem is a heap overflow
tested in
Windows XP spanish with SP2
summary
Remotable exploitation of this heap overflow could allow a user to execute
arbitriary code or crash internet explorer. The heap overflow is related to
a call to lstrcpyA()
No writeups or analysis indexed.
http://goodfellas.shellcode.com.ar/own/VULWAR200706041http://goodfellas.shellcode.com.ar/own/VULWKU200706142http://secunia.com/advisories/26800http://securityreason.com/securityalert/3143http://www.kb.cert.org/vuls/id/611008http://www.securityfocus.com/archive/1/479442/100/0/threadedhttp://www.securityfocus.com/archive/1/479443/100/0/threadedhttp://www.securityfocus.com/bid/25673http://www.securityfocus.com/bid/25697http://www.securitytracker.com/id?1018698http://www.vupen.com/english/advisories/2007/3182https://exchange.xforce.ibmcloud.com/vulnerabilities/36608https://exchange.xforce.ibmcloud.com/vulnerabilities/36609http://goodfellas.shellcode.com.ar/own/VULWAR200706041http://goodfellas.shellcode.com.ar/own/VULWKU200706142http://secunia.com/advisories/26800http://securityreason.com/securityalert/3143http://www.kb.cert.org/vuls/id/611008http://www.securityfocus.com/archive/1/479442/100/0/threadedhttp://www.securityfocus.com/archive/1/479443/100/0/threadedhttp://www.securityfocus.com/bid/25673http://www.securityfocus.com/bid/25697http://www.securitytracker.com/id?1018698http://www.vupen.com/english/advisories/2007/3182https://exchange.xforce.ibmcloud.com/vulnerabilities/36608https://exchange.xforce.ibmcloud.com/vulnerabilities/36609
2007-09-17
Published