cbcvebase.
CVE-2008-2551
published 2008-06-04

CVE-2008-2551: The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.94%
98.7th percentile
The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."

Affected

1 ranges
VendorProductVersion rangeFixed in
iconainstant_messenger

Detection & IOCsextracted from sources · hover to see the quote

filenameDownloaderActiveX.ocx
urlhttp://retrogod.altervista.org/9sg_c6_download_exec.html
commandpropPostDownloadAction=run
  • Target user-agent filtering: the exploit only proceeds against Internet Explorer (MSIE) or requests with 'File Session' in the User-Agent, which is used by the ActiveX control when fetching the payload EXE. Monitor for HTTP requests carrying 'File Session' as the User-Agent originating from ActiveX controls.
  • The payload is served as 'application/octet-stream' from the same web server URI that hosts the exploit HTML. Correlate HTTP responses with Content-Type: application/octet-stream following an ActiveX exploit page request from the same client.
  • The Metasploit module uses 'migrate -f' as an InitialAutoRunScript, meaning the payload process will attempt to migrate into another process immediately after execution. Monitor for unexpected process injection or migration activity following execution of a downloaded binary.
  • ·The vulnerable component is version-specific: only Icona SpA C6 Messenger 1.0.0.1 is confirmed affected. The DownloaderActiveX.ocx ActiveX control must be registered on the victim system for exploitation to succeed.
  • ·Exploitation requires the victim to be using Internet Explorer, as the ActiveX control is only instantiated in IE-based browsers. Non-IE browsers are explicitly rejected by the exploit module.
  • ·The downloaded and executed payload runs in the context of the currently logged-on user, meaning privilege level depends on the victim's account. No privilege escalation is built into the exploit.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.