cbcvebase.
CVE-2008-0955
published 2008-05-29

CVE-2008-0955: Stack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control in CTSUEng.ocx allows remote attackers to execute arbitrary code via a…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.23%
98.5th percentile
Stack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control in CTSUEng.ocx allows remote attackers to execute arbitrary code via a long CacheFolder property value.

Detection & IOCsextracted from sources · hover to see the quote

filenameCTSUEng.ocx
otherCLSID: 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
urlhttp://www.creative.com/su/Product.asp
bytes
%u9090%u9090%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c
  • The CacheFolder property of CTSUEng.ocx triggers a stack-based buffer overflow after 260 bytes; at 512 bytes it overwrites SEH and allows reliable code execution. Monitor for unusually long string values set on this ActiveX property.
  • Set the kill bit for ActiveX CLSID 0A5FD7C5-A45C-49FC-ADB5-9952547D5715 (CTSUEng.ocx) to prevent instantiation in Internet Explorer.
  • Exploit delivers a heap spray using the %u0c0c%u0c0c pattern combined with NOP sleds and shellcode via JavaScript unescape(). Detect this pattern in HTML/JS content delivered to IE clients.
  • The Metasploit module targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7. Payload space is 1024 bytes with null byte as bad character.
  • The exploit uses randomized JavaScript variable names to evade static signature detection; focus on behavioral detection of large string assignments to the CacheFolder property of the CTSUEng.ocx ActiveX object.
  • ·The Metasploit module sets EXITFUNC to 'process', meaning the exploit terminates the browser process on exit rather than cleanly returning; this may affect post-exploitation stability.
  • ·Payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; staged or larger payloads must account for these constraints.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.