cbcvebase.
CVE-2008-0015
published 2009-07-07

CVE-2008-0015: Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control…

PriorityP190high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-10
Exploited in the wild
EPSS
76.65%
99.5th percentile
Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenamemsvidctl.dll
otherCLSID:0369B4E5-45B6-11D3-B650-00C04F79498E
otherCLSID:0369B4E6-45B6-11D3-B650-00C04F79498E
otherCLSID:055CB2D7-2969-45CD-914B-76890722F112
otherCLSID:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF
otherCLSID:15D6504A-5494-499C-886C-973C9E53B9F1
otherCLSID:59DC47A8-116C-11D3-9D8E-00C04F72D980
otherCLSID:8A674B4C-1F63-11D3-B64C-00C04F79498E
otherCLSID:8A674B4D-1F63-11D3-B64C-00C04F79498E
otherCLSID:A2E30750-6C3D-11D3-B653-00C04F79498E
otherCLSID:B64016F3-C9A2-4066-96F0-BD9563314726
otherCLSID:C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7
otherCLSID:F9769A06-7ACA-4E39-9CFB-97BB35F0E77E
otherRET:0x0C0C0C0C
bytes
\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  • Exploit delivers a specially crafted GIF file to trigger the buffer overflow; detect HTTP responses serving a GIF with the malicious header byte sequence to browsers loading the MPEG2TuneRequest ActiveX object.
  • Exploit targets BDATuner.MPEG2TuneRequest ActiveX control instantiated in a browser page; monitor for instantiation of any of the 12 working CLSIDs associated with msvidctl.dll in web content.
  • Original in-the-wild exploitation was observed via drive-by attacks through compromised Chinese web sites; treat web traffic loading msvidctl.dll CLSIDs from untrusted domains as high-priority alerts.
  • Nessus plugin 39622 checks that kill-bit workarounds for msvidctl.dll CLSIDs have been applied on Windows XP and Server 2003; use this as a compliance/detection check.
  • Heap spray uses 0x0C0C0C0C as the return address; memory forensics or crash analysis showing EIP/RET pointing to 0x0C0C0C0C is indicative of this exploit.
  • Payload bad characters are \x00\x09\x0a\x0d and quotes/backslash; shellcode in exploit traffic will avoid these bytes, which can help tune shellcode-detection signatures.
  • ·The Metasploit module randomizes the ClassID used from the 12 working CLSIDs unless overridden via the advanced 'ClassID' option; detection rules must cover all 12 working CLSIDs, not just one.
  • ·Setting the kill bit on the CLSIDs may not be sufficient mitigation; an in-depth analysis of msvidctl.dll suggests the kill-bit workaround alone may not fully mitigate the problem.
  • ·Nessus plugin 39622 only checks kill-bit status on Windows XP and Windows Server 2003; extended class ID checks require 'Thorough Tests' to be enabled.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.