CVE-2008-4384
published 2008-10-07CVE-2008-4384: Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX control (LPControl.dll), as acquired by Roxio and iseemedia, allow remote attackers to…
PriorityP352critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.71%
97.9th percentile
Multiple stack-based buffer overflows in MGI Software LPViewer ActiveX control (LPControl.dll), as acquired by Roxio and iseemedia, allow remote attackers to execute arbitrary code via the (1) url, (2) toolbar, and (3) enableZoomPastMax methods.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the ActiveX ProgID 'LPViewer.LPViewer.1' via JavaScript ActiveXObject calls in browser contexts, which is the attack vector used to trigger the overflow. ↗
- →Detect overly long strings passed to the URL(), toolbar(), or enableZoomPastMax() methods of the LPViewer ActiveX control (LPControl.dll / LPControll.dll), as these are the three vulnerable method vectors. ↗
- →The exploit uses a heap-spray technique targeting return address 0x0C0C0C0C; detect NOP sled heap sprays combined with ActiveX object creation for LPViewer in browser memory. ↗
- →The exploit sets EXITFUNC to 'process', meaning post-exploitation process termination behavior can be used as a behavioral indicator alongside shellcode execution from browser child processes. ↗
- ·The vulnerable DLL filename is inconsistently spelled across sources ('LPControl.dll' in NVD vs 'LPControll.dll' with double-L in the Metasploit module); detection rules should account for both spellings. ↗
- ·The Metasploit module randomizes all JavaScript variable names on each request, so static string-based signatures on variable names will not be reliable; focus detection on the ProgID and method call patterns instead. ↗
- ·The payload space is limited to 1024 bytes with null bytes as bad characters; shellcode delivered via this vector will be null-free and encoded, which may affect AV/IDS signature matching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
iseemedia / Roxio / MGI Software LPViewer - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2008-4384 iseemedia / Roxio / MGI Software LPViewer - ActiveX Control Buffer Overflow (Metasploit)
iseemedia / Roxio / MGI Software LPViewer - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: lpviewer_url.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When
sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
Metasploit
iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
metasploit
iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
iseemedia / Roxio / MGI Software LPViewer ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in LPViewer ActiveX control (LPControll.dll 3.2.0.2). When sending an overly long string to the URL() property an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/32140http://www.kb.cert.org/vuls/id/848873http://www.securityfocus.com/bid/31604http://www.vupen.com/english/advisories/2008/2749https://exchange.xforce.ibmcloud.com/vulnerabilities/45699http://secunia.com/advisories/32140http://www.kb.cert.org/vuls/id/848873http://www.securityfocus.com/bid/31604http://www.vupen.com/english/advisories/2008/2749https://exchange.xforce.ibmcloud.com/vulnerabilities/45699
2008-10-07
Published