CVE-2007-5660
published 2007-11-02CVE-2007-5660: Unspecified vulnerability in the Update Service ActiveX control in isusweb.dll before 6.0.100.65101 in MacroVision FLEXnet Connect and InstallShield 2008…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.62%
98.3th percentile
Unspecified vulnerability in the Update Service ActiveX control in isusweb.dll before 6.0.100.65101 in MacroVision FLEXnet Connect and InstallShield 2008 allows remote attackers to execute arbitrary code via an unspecified "unsafe method," possibly involving a buffer overflow.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| macrovision | update_service | — | — |
| macrovision | update_service | — | — |
| macrovision | update_service | — | — |
| macrovision | update_service | — | — |
| macrovision | update_service | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting the DownloadAndExecute method of the Macrovision InstallShield Update Service ActiveX control with an overly long second argument (ProductCode, offset 600 bytes) delivered via a browser HTML page. ↗
- →Monitor for ActiveX instantiation of the Macrovision InstallShield Update Service control (Isusweb.dll) in browser processes, especially when followed by calls to DownloadAndExecute or DownloadAndInstall methods. ↗
- →Flag network traffic where a browser fetches an HTML page containing both DownloadAndExecute and DownloadAndInstall JavaScript method calls referencing a remote .exe URL, consistent with the unsafe-method exploit delivery. ↗
- →Bad characters for payload encoding are null byte, tab, newline, carriage return, single quote, and backslash — payloads avoiding these characters should be flagged in memory/network inspection. ↗
- →Return address 0x71aa32ad is used for Windows XP SP0/SP1 Pro English targets; presence of this value at offset 600 in a string passed to DownloadAndExecute is a strong exploit indicator. ↗
- →Return address 0x75022ac4 is used for Windows 2000 Pro English targets; presence of this value at offset 600 in a string passed to DownloadAndExecute is a strong exploit indicator. ↗
- ·The buffer overflow exploit targets a specific DLL version; patched or different versions of Isusweb.dll may not be vulnerable or may require different offsets/return addresses. ↗
- ·The Metasploit module uses randomized variable and executable names (rand_text_alpha) for the HTML delivery page, so static string-based signatures on variable names will be evaded. ↗
- ·The unsafe-method module (CVE-2007-5660) is distinct from the buffer overflow module (also referencing CVE-2007-5660); both exploit different attack vectors against the same ActiveX control. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wjhw-vfv9-8632: Unspecified vulnerability in the Update Service ActiveX control in isusweb
ghsa_unreviewed·2022-05-01
CVE-2007-5660 [HIGH] GHSA-wjhw-vfv9-8632: Unspecified vulnerability in the Update Service ActiveX control in isusweb
Unspecified vulnerability in the Update Service ActiveX control in isusweb.dll before 6.0.100.65101 in MacroVision FLEXnet Connect and InstallShield 2008 allows remote attackers to execute arbitrary code via an unspecified "unsafe method," possibly involving a buffer overflow.
GHSA
GHSA-6gr2-mgm4-qqm9: Buffer overflow in a certain ActiveX control in Macrovision InstallShield Update Service Web Agent 5
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-6654 [CRITICAL] CWE-119 GHSA-6gr2-mgm4-qqm9: Buffer overflow in a certain ActiveX control in Macrovision InstallShield Update Service Web Agent 5
Buffer overflow in a certain ActiveX control in Macrovision InstallShield Update Service Web Agent 5.1.100.47363 allows remote attackers to execute arbitrary code via a long string in the ProductCode argument (second argument) to the DownloadAndExecute method, a different vulnerability than CVE-2007-0321, CVE-2007-2419, and CVE-2007-5660.
No detection rules found.
Exploit-DB
Macrovision Installshield Update Service - ActiveX Unsafe Method (Metasploit)
exploitdb·2010-09-20
CVE-2007-5660 Macrovision Installshield Update Service - ActiveX Unsafe Method (Metasploit)
Macrovision Installshield Update Service - ActiveX Unsafe Method (Metasploit)
---
##
# $Id: macrovision_unsafe.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Macrovision InstallShield Update Service ActiveX Unsafe Method',
'Description' => %q{
This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2007-5660' ],
[ 'OSVDB', '38347' ],
[ 'BID', '2
Exploit-DB
Macrovision Installshield Update Service - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2007-5660 Macrovision Installshield Update Service - Remote Buffer Overflow (Metasploit)
Macrovision Installshield Update Service - Remote Buffer Overflow (Metasploit)
---
##
# $Id: macrovision_downloadandexecute.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Macrovision InstallShield Update Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Macrovision InstallShield Update
Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to
the DownloadAndExecute method, an attacker may be able to execute arbitrary code.
},
'Licens
Metasploit
Macrovision InstallShield Update Service ActiveX Unsafe Method
metasploit
Macrovision InstallShield Update Service ActiveX Unsafe Method
Macrovision InstallShield Update Service ActiveX Unsafe Method
This module allows attackers to execute code via an unsafe method in Macrovision InstallShield 2008.
Metasploit
Macrovision InstallShield Update Service Buffer Overflow
metasploit
Macrovision InstallShield Update Service Buffer Overflow
Macrovision InstallShield Update Service Buffer Overflow
This module exploits a stack buffer overflow in Macrovision InstallShield Update Service(Isusweb.dll 6.0.100.54472). By passing an overly long ProductCode string to the DownloadAndExecute method, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618http://osvdb.org/38347http://secunia.com/advisories/27475http://support.installshield.com/kb/view.asp?articleid=Q113020http://support.installshield.com/kb/view.asp?articleid=Q113602http://www.macrovision.com/promolanding/7660.htmhttp://www.securityfocus.com/bid/26280http://www.securitytracker.com/id?1018881http://www.vupen.com/english/advisories/2007/3670https://exchange.xforce.ibmcloud.com/vulnerabilities/38210http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618http://osvdb.org/38347http://secunia.com/advisories/27475http://support.installshield.com/kb/view.asp?articleid=Q113020http://support.installshield.com/kb/view.asp?articleid=Q113602http://www.macrovision.com/promolanding/7660.htmhttp://www.securityfocus.com/bid/26280http://www.securitytracker.com/id?1018881http://www.vupen.com/english/advisories/2007/3670https://exchange.xforce.ibmcloud.com/vulnerabilities/38210
2007-11-02
Published