CVE-2008-0659
published 2008-02-08CVE-2008-0659: Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4…
PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
56.34%
98.9th percentile
Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4, allows remote attackers to execute arbitrary code via a long Action property.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aurigma | image_uploader_activex_control | <= 4.5.70 | — |
| aurigma | image_uploader_activex_control | — | — |
| myspace | myspaceuploader | — | — |
| piczo | imageuploader4 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a
bytes↗
%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u4937%u5a51%u436a
bytes↗
%u0A0A%u0A0A
- →Detect instantiation of MySpaceUploader.ocx ActiveX control version 1.0.0.4 in browser context, which is vulnerable to remote buffer overflow exploitation. ↗
- →Detect heap spray pattern using repeated 0x0A0A0A0A NOP sled in JavaScript, characteristic of this ActiveX exploit. ↗
- →Detect Alpha2-encoded shellcode stubs beginning with %u03eb%ueb59%ue805%ufff8%uffff in JavaScript unescape() calls, used by both bind and exec payloads in this exploit. ↗
- →Detect EXITFUNC=seh shellcode encoding pattern (Alpha2 encoder) delivered via JavaScript unescape() in HTML pages loading MySpaceUploader.ocx. ↗
- →Flag loading of ImageUploader4.ocx (CLSID distinct from CVE-2008-0659) in browser, particularly when the Action property is set to a long string value. ↗
- ·The exploit shellcode targets win32 (Windows 32-bit) only; the bind shell payload opens LPORT=4444 and the exec payload runs calc.exe as a proof-of-concept — real-world attackers would substitute a different payload. ↗
- ·CVE-2008-1490 (ImageUploader4.ocx) is documented as a different CLSID from CVE-2008-0659; detections must distinguish between the two ActiveX controls to avoid false positives. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8pc6-h9qw-hq8q: Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4
ghsa_unreviewed·2022-05-01
CVE-2008-0659 [HIGH] CWE-119 GHSA-8pc6-h9qw-hq8q: Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4
Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4, allows remote attackers to execute arbitrary code via a long Action property.
GHSA
GHSA-r8wh-xjhh-44p3: Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2008-1490 [CRITICAL] CWE-119 GHSA-r8wh-xjhh-44p3: Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4
Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4.ocx 4.1.36.0, as used with Piczo (aka Pizco) and possibly other online services, allows remote attackers to execute arbitrary code via unspecified vectors, possibly involving a long Action property, a different CLSID than CVE-2008-0659.
VulnCheck
aurigma image_uploader_activex_control Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2008·CVSS 10.0
CVE-2008-1490 [CRITICAL] aurigma image_uploader_activex_control Improper Restriction of Operations within the Bounds of a Memory Buffer
aurigma image_uploader_activex_control Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4.ocx 4.1.36.0, as used with Piczo (aka Pizco) and possibly other online services, allows remote attackers to execute arbitrary code via unspecified vectors, possibly involving a long Action property, a different CLSID than CVE-2008-0659.
Affected: aurigma image_uploader_activex_control
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
No detection rules found.
No writeups or analysis indexed.
http://blogs.aurigma.com/post/2008/01/Another-security-problem---oh%2c-not-again.aspxhttp://seclists.org/fulldisclosure/2008/Jan/0593.htmlhttp://secunia.com/advisories/28715http://secunia.com/advisories/28733http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060483http://www.kb.cert.org/vuls/id/776931http://www.securityfocus.com/bid/27533http://www.vupen.com/english/advisories/2008/0344/referenceshttp://www.vupen.com/english/advisories/2008/0345/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/40118https://www.exploit-db.com/exploits/5025http://blogs.aurigma.com/post/2008/01/Another-security-problem---oh%2c-not-again.aspxhttp://seclists.org/fulldisclosure/2008/Jan/0593.htmlhttp://secunia.com/advisories/28715http://secunia.com/advisories/28733http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060483http://www.kb.cert.org/vuls/id/776931http://www.securityfocus.com/bid/27533http://www.vupen.com/english/advisories/2008/0344/referenceshttp://www.vupen.com/english/advisories/2008/0345/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/40118https://www.exploit-db.com/exploits/5025
2008-02-08
Published