cbcvebase.
CVE-2007-5603
published 2007-11-05

CVE-2007-5603: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.98%
98.4th percentile
Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method.

Affected

3 ranges
VendorProductVersion rangeFixed in
sonicwallnetextender
sonicwallssl_vpn<= 2.1
sonicwallssl_vpn<= 2.5

Detection & IOCsextracted from sources · hover to see the quote

filenameNELaunchX.dll
versionNELaunchX.dll 1.0.0.26
commandAddRouteEntry(<long_string>, <object>)
bytes
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000
  • Monitor for ActiveX instantiation of the NELaunchCtrl / NELaunchX.dll control in a browser context, particularly calls to the AddRouteEntry() method with an oversized second argument.
  • Detect heap-spray NOP sled pattern in browser memory: repeated %u9090%u9090 unescape sequences used to position shellcode prior to AddRouteEntry exploitation.
  • The Metasploit exploit targets IE 6 on Windows XP SP2 English; the return address 0x7e497c7b is used as the SEH/RET overwrite — flag memory writes to this address in exploit telemetry.
  • Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash — encoded payloads avoiding these bytes in network traffic targeting the ActiveX control are a strong indicator.
  • The exploit delivers an HTML page containing a randomised variable name referencing the NELaunchCtrl ActiveX object and calling AddRouteEntry with a 36-byte random prefix followed by a packed return address — inspect HTML responses for this pattern.
  • ·The vulnerable DLL version is specifically 1.0.0.26 of NELaunchX.dll; versions of NELaunchCtrl at or above 2.1.0.51 (or 2.5.0.56 in the 2.5.x branch) are patched and should not be flagged.
  • ·The Metasploit module's payload space is only 800 bytes with a stack adjustment of -3500; detection rules tuned to payload size should account for this constrained space.
  • ·CVE-2007-5814 covers additional overflow vectors (serverAddress, sessionId, clientIPLower, clientIPHigher, userName, domainName, dnsSuffix) in the same ActiveX control — detections for CVE-2007-5603 cover only the AddRouteEntry vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.