cbcvebase.
CVE-2008-1724
published 2008-04-11

CVE-2008-1724: Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.13%
98.2th percentile
Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in Tumbleweed SecureTransport Server before 4.6.1 Hotfix 20 allows remote attackers to execute arbitrary code via a long remoteFile parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
tumbleweedsecuretransport_server_app<= 4.6.1

Detection & IOCsextracted from sources · hover to see the quote

filenamevcst_en.dll
filenamevcst_eu.dll
versionvcst_eu.dll 1.0.0.5
other0x1001ee75
other0x75022ac4
other0x71aa32ad
commandTransferFile() with 4620-byte filler + SEH payload in 'remotefile' parameter
  • The exploit triggers via the IActiveXTransfer.FileTransfer / TransferFile() ActiveX method with an overly long 4th argument (remoteFile parameter). Monitor for ActiveX instantiation of the vcst_en.dll or vcst_eu.dll control followed by a TransferFile call with a very long string (>4620 bytes) in the remoteFile position.
  • The Metasploit module uses a browser-delivered HTML page that calls <object>.TransferFile() with a 4620-byte alpha filler followed by an SEH overwrite payload. Detect large (>4000 byte) string arguments to TransferFile() in browser-rendered HTML.
  • The exploit uses SEH-based overwrite. Known return addresses used for control-flow hijack are 0x1001ee75 (universal vcst_eu.dll), 0x75022ac4 (Windows 2000), and 0x71aa32ad (Windows XP SP0/SP1 EN). These can be used as memory-pattern signatures in network or memory forensics.
  • Bad characters for payload encoding include null bytes, newlines, carriage returns, and the range 0x80–0xa0 as well as <, >, (, ), ", \. Shellcode in exploit traffic will avoid these bytes, which can help tune IDS signatures.
  • ·Two DLL filenames appear across sources: vcst_en.dll (NVD, English locale) and vcst_eu.dll (Metasploit module). Detection rules should cover both filenames as the vulnerable component may be named differently depending on locale/build.
  • ·The Metasploit module targets Windows 2000 and Windows XP SP0/SP1 with hardcoded return addresses; the 'Universal' target uses a return address inside vcst_eu.dll itself (0x1001ee75), meaning the DLL must be loaded in the browser process for exploitation.
  • ·The payload space is limited to 1000 bytes, constraining the size of shellcode that can be delivered via this exploit vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.