cbcvebase.
CVE-2007-5107
published 2007-09-26

CVE-2007-5107: Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and…

PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.86%
98.3th percentile
Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information. NOTE: the researcher claims that this is the same as CVE-2007-5108, but there is insufficient detail for CVE-2007-5108 to be certain.

Affected

1 ranges
VendorProductVersion rangeFixed in
ask.comask_toolbar<= 4.0.2.53

Detection & IOCsextracted from sources · hover to see the quote

filenameaskBar.dll
otherAskJeevesToolBar.SettingsPlugin.1
other0x71aa32ad
other0x75022ac4
commandShortFormat
bytes
%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
  • Detect exploitation attempts targeting the AskJeevesToolBar.SettingsPlugin.1 ActiveX control via an overly long ShortFormat property value set in JavaScript (e.g., `vname.ShortFormat = strname` where strname is a large string).
  • The exploit uses a heap-spray technique with a NOP sled targeting address 0x0d0d0d0d; monitor for large JavaScript heap allocations combined with ActiveX instantiation of AskJeevesToolBar.SettingsPlugin.1.
  • SEH-based overflow: the Metasploit module uses generate_seh_payload with a return address overwrite at offset 2876 (XP SP0/SP1) or 1716 (Win2000). Detect abnormally long ShortFormat property strings in HTML pages instantiating the askBar.dll ActiveX control.
  • Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash: \x00\x09\x0a\x0d'\ — shellcode in the wild will avoid these bytes.
  • ·The vulnerability affects Ask Toolbar version 4.0.2.53 and earlier only; later versions are not affected.
  • ·The return addresses (ROP/SEH gadgets) are version- and OS-specific: 0x71aa32ad for Windows XP SP0/SP1 English and 0x75022ac4 for Windows 2000 Pro English ALL; detections relying on these exact values will not generalize across other OS versions.
  • ·The researcher notes this CVE may overlap with CVE-2007-5108, but there is insufficient detail to confirm they are the same vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.