CVE-2008-1724
published 2008-04-11CVE-2008-1724: Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.13%
98.2th percentile
Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in Tumbleweed SecureTransport Server before 4.6.1 Hotfix 20 allows remote attackers to execute arbitrary code via a long remoteFile parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tumbleweed | securetransport_server_app | <= 4.6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers via the IActiveXTransfer.FileTransfer / TransferFile() ActiveX method with an overly long 4th argument (remoteFile parameter). Monitor for ActiveX instantiation of the vcst_en.dll or vcst_eu.dll control followed by a TransferFile call with a very long string (>4620 bytes) in the remoteFile position. ↗
- →The Metasploit module uses a browser-delivered HTML page that calls <object>.TransferFile() with a 4620-byte alpha filler followed by an SEH overwrite payload. Detect large (>4000 byte) string arguments to TransferFile() in browser-rendered HTML. ↗
- →The exploit uses SEH-based overwrite. Known return addresses used for control-flow hijack are 0x1001ee75 (universal vcst_eu.dll), 0x75022ac4 (Windows 2000), and 0x71aa32ad (Windows XP SP0/SP1 EN). These can be used as memory-pattern signatures in network or memory forensics. ↗
- →Bad characters for payload encoding include null bytes, newlines, carriage returns, and the range 0x80–0xa0 as well as <, >, (, ), ", \. Shellcode in exploit traffic will avoid these bytes, which can help tune IDS signatures. ↗
- ·Two DLL filenames appear across sources: vcst_en.dll (NVD, English locale) and vcst_eu.dll (Metasploit module). Detection rules should cover both filenames as the vulnerable component may be named differently depending on locale/build. ↗
- ·The Metasploit module targets Windows 2000 and Windows XP SP0/SP1 with hardcoded return addresses; the 'Universal' target uses a return address inside vcst_eu.dll itself (0x1001ee75), meaning the DLL must be loaded in the browser process for exploitation. ↗
- ·The payload space is limited to 1000 bytes, constraining the size of shellcode that can be delivered via this exploit vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2008-1724 Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
Tumbleweed SecureTransport FileTransfer - 'vcst_eu.dll' ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: tumbleweed_filetransfer.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the vcst_eu.dll
FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed
SecureTransport suite. By sending an overly long string to the
TransferFile() 'remotefile' function, a
Exploit-DB
Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow
exploitdb·2008-04-07
CVE-2008-1724 Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow
Tumbleweed SecureTransport 4.6.1 FileTransfer - ActiveX Buffer Overflow
---
Vulnerable.TransferFile("a", "b", "c",
"HqwToZjIhHkOZrLAyrUXkIEJkcQkiYRtePnECVUqpnlzkJTgBuGiqyLUCnceJkrsIxPXchpkjFjIgJRqGvniwwHJssGiTaPpmKZlBPwGMYhShxUWMCLuhgrpWXfdoWCCRYtDTrwyvDmfdAtdazeizBqexoCGifFzEKzvLENkrNCoqpQVtclDmpzPIJZTgUuSHWyiZoUWeNzrJFILdoEpKoyEptrZidLYuGbCrHxrMURRpdXyYJLzbeGRKqUOliWDHFdTEJOsGLngqOVVZdjzlCgOYbvSaUKcmQcugvmVQWMQVfudlFmPvrmULKPQDVGuVFxuhFbuazTlsGbYhuJIjKfPdzGdYKcGVmVFqrtRrzXIGrauMEauSvNfDQkfyQNOTNSwftDyRhKdBFyZHaKQDDrxIEoFyrNLjLPTTGTYNlkoWfPdgSqStnopGaGkwCujLqtocvbYJuTVbUJUJbsloqLClPXTklqPEOsthiraZgJzElMuXPuleJCQdcLsEbnalOGUpZsLgafPsjJEjUuIKAwjZWAaMLnVZwqMQeUYToFMBuneclybwZcKUjHMZhUaEayTKAqPlXGIcUbJVXOpiergIyJVEegVBsPObCFGjXBCgEYZYWfUKxzvVzWeJvhqDRksWeZTWBRhMctQqFMuRHxuTifCqZUsVbILkc
Metasploit
Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
metasploit
Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in the vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed SecureTransport suite. By sending an overly long string to the TransferFile() 'remotefile' function, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/29717http://securityreason.com/securityalert/3806http://www.aushack.com/200708-tumbleweed.txthttp://www.securityfocus.com/archive/1/490536/100/0/threadedhttp://www.securityfocus.com/bid/28662http://www.vupen.com/english/advisories/2008/1165/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41692https://www.exploit-db.com/exploits/5398http://secunia.com/advisories/29717http://securityreason.com/securityalert/3806http://www.aushack.com/200708-tumbleweed.txthttp://www.securityfocus.com/archive/1/490536/100/0/threadedhttp://www.securityfocus.com/bid/28662http://www.vupen.com/english/advisories/2008/1165/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41692https://www.exploit-db.com/exploits/5398
2008-04-11
Published