cbcvebase.
CVE-2008-4384
published 2008-10-07

CVE-2008-4384: Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX control (LPControl.dll), as acquired by Roxio and iseemedia, allow remote attackers to…

PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.71%
97.9th percentile
Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX control (LPControl.dll), as acquired by Roxio and iseemedia, allow remote attackers to execute arbitrary code via the (1) url, (2) toolbar, and (3) enableZoomPastMax methods.

Detection & IOCsextracted from sources · hover to see the quote

filenameLPControl.dll
filenameLPControll.dll
otherLPViewer.LPViewer.1
other0x0C0C0C0C
  • Monitor for instantiation of the ActiveX ProgID 'LPViewer.LPViewer.1' via JavaScript ActiveXObject calls in browser contexts, which is the attack vector used to trigger the overflow.
  • Detect overly long strings passed to the URL(), toolbar(), or enableZoomPastMax() methods of the LPViewer ActiveX control (LPControl.dll / LPControll.dll), as these are the three vulnerable method vectors.
  • The exploit uses a heap-spray technique targeting return address 0x0C0C0C0C; detect NOP sled heap sprays combined with ActiveX object creation for LPViewer in browser memory.
  • The exploit sets EXITFUNC to 'process', meaning post-exploitation process termination behavior can be used as a behavioral indicator alongside shellcode execution from browser child processes.
  • ·The vulnerable DLL filename is inconsistently spelled across sources ('LPControl.dll' in NVD vs 'LPControll.dll' with double-L in the Metasploit module); detection rules should account for both spellings.
  • ·The Metasploit module randomizes all JavaScript variable names on each request, so static string-based signatures on variable names will not be reliable; focus detection on the ProgID and method call patterns instead.
  • ·The payload space is limited to 1024 bytes with null bytes as bad characters; shellcode delivered via this vector will be null-free and encoded, which may affect AV/IDS signature matching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.