cbcvebase.
CVE-2007-4916
published 2007-09-17

CVE-2007-4916: Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in Microsoft Foundation Class…

PriorityP351critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.67%
97.1th percentile
Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in Microsoft Foundation Class (MFC) Library 8.0, as used by the ListFiles method in hpqutil.dll 2.0.0.138 in Hewlett-Packard (HP) All-in-One and Photo & Imaging Gallery 1.1 and probably other products, allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long first argument.

Affected

1 ranges
VendorProductVersion rangeFixed in
hpphoto_and_imaging_gallery

Detection & IOCsextracted from sources · hover to see the quote

otherF3F381A3-4795-41FF-8190-7AA2A8102F85
filenamehpqutil.dll
commandVar_0 = String(620, "A") pAF.ListFiles Var_0
bytes
73d6cd4b 6840010000 push 140h
  • Monitor for ActiveX instantiation of CLSID F3F381A3-4795-41FF-8190-7AA2A8102F85 (hpqutil.dll) in browser processes; exploitation requires this control to be loaded via a crafted web page.
  • Detect calls to the ListFiles method on hpqutil.dll with arguments of 320+ bytes (buffer is only 320/0x140 bytes); a 620-byte 'A'-string argument is the PoC trigger.
  • Look for access violations or heap corruption originating from MFC42!_imp__lstrcpyA (address 73df61d0) called within MFC42!CFileFind::FindFile+0x2b, indicative of the overflow being triggered.
  • Alert on Internet Explorer crashes or access violations in MFC42.dll/MFC42u.dll/MFC71.dll/MFC71u.dll stack frames when hpqutil.dll is loaded, as exploitation crashes IE and may precede code execution attempts.
  • ·The PoC was tested specifically on Windows XP Spanish with SP2; behavior on other Windows versions or service packs may differ.
  • ·Exploitation via the web requires ActiveX to be enabled in Internet Explorer; environments with ActiveX disabled or kill-bit set for the CLSID are not exploitable via this vector.
  • ·The vulnerability is also present in the MFC library itself (MFC42.dll, MFC42u.dll, MFC71.dll, MFC71u.dll), meaning other applications using CFileFind::FindFile with long user-controlled input may also be affected beyond hpqutil.dll.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.