cbcvebase.
CVE-2008-3558
published 2008-08-08

CVE-2008-3558: Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
65.39%
99.2th percentile
Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote attackers to execute arbitrary code via a long argument to the NewObject method.

Affected

2 ranges
VendorProductVersion rangeFixed in
ciscowebex_meeting_manager
ciscowebex_meeting_manager_activex_control

Detection & IOCsextracted from sources · hover to see the quote

filenameatucfobj.dll
otherCLSID:32E26FD9-F435-4A20-A561-35D4B987CFDC
otherWebexUCFObject.WebexUCFObject
otherRET: 0x0c0c0c0c (heap spray return address)
bytes
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u535c%u5359%u4554%u334d%u5c32%u4143%u434c%u452e%u4558%u4100
bytes
%u0909%u0909 (heap spray NOP sled)
  • Detect instantiation of the vulnerable ActiveX control by its CLSID (32E26FD9-F435-4A20-A561-35D4B987CFDC) or ProgID (WebexUCFObject.WebexUCFObject) in HTML/script content.
  • Detect heap-spray pattern using the 0x0909 NOP-equivalent sled (unescape('%u0909%u0909')) combined with shellcode targeting return address 0x0c0c0c0c.
  • Flag presence of atucfobj.dll versions prior to 20.2008.2606.4919 on endpoints; the exploit was tested against v20.2008.2601.4928.
  • The Metasploit module uses EXITFUNC=process and an auto-migrate post-exploitation step; monitor for unexpected process migration activity following iexplore.exe spawning atucfobj.dll.
  • ·The exploit payload space is limited to 1024 bytes with null bytes (%x00) as bad characters; payloads exceeding this or containing null bytes will fail.
  • ·The exploit relies on a heap-spray technique to deliver the payload unmodified into memory due to input restrictions imposed by the sprintf copy path.
  • ·The PoC was tested only against IE6 on Windows XP SP1; behaviour on other browser/OS combinations is not confirmed by the original exploit author.
  • ·Cisco's remediation is delivered automatically when users connect to the WebEx meeting service; users unable to connect require a manual workaround.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.