CVE-2008-4385
published 2008-10-14CVE-2008-4385: Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.68%
98.4th percentile
Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init method in (1) a certain ActiveX control (sysreqlab2.cab, sysreqlab.dll, sysreqlabsli.dll, or sysreqlab2.dll) and (2) a certain Java applet in RLApplet.class in sysreqlab2.jar or sysreqlab.jar.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| systemrequirementslab | system_requirements_lab | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of sysreqlab2.dll (version 2.30.0.0) in browser processes, specifically calls to the 'Init' method with a remote HTTP URL as the first argument, which triggers download and execution of an arbitrary EXE. ↗
- →Detect HTML pages that instantiate the sysreqlab ActiveX control and invoke the Init method with a remote URL argument pointing to an .exe file — the exploit delivers an EXE payload via 'Content-Type: application/octet-stream'. ↗
- →Look for browser-spawned processes downloading and executing EXE files sourced from a URL passed as the first argument to the ActiveX Init method; the Metasploit module appends a random alpha string as the exe filename (e.g., <random>.exe). ↗
- →Inspect Java applet loads for RLApplet.class within sysreqlab2.jar or sysreqlab.jar; the same unsafe Init method pattern applies to the Java vector. ↗
- ·The Metasploit module uses randomized spacing (Rex::Text.randomize_space) and random variable/filename strings, so static string signatures on the HTML payload page will have low reliability; focus detection on the ActiveX Init method call pattern and the EXE download behavior instead. ↗
- ·The SRVHOST may be set to 0.0.0.0, in which case the payload URL is dynamically resolved to the source address of the victim connection — network-based IOCs for the C2 host cannot be statically predetermined. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Husdawg_ LLC. System Requirements Lab - ActiveX Unsafe Method (Metasploit)
exploitdb·2010-09-20
CVE-2008-4385 Husdawg_ LLC. System Requirements Lab - ActiveX Unsafe Method (Metasploit)
Husdawg_ LLC. System Requirements Lab - ActiveX Unsafe Method (Metasploit)
---
##
# $Id: systemrequirementslab_unsafe.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method',
'Description' => %q{
This module allows attackers to execute code via an unsafe method in
Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE
Metasploit
Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
metasploit
Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
Husdawg, LLC. System Requirements Lab ActiveX Unsafe Method
This module allows attackers to execute code via an unsafe method in Husdawg, LLC. System Requirements Lab ActiveX Control (sysreqlab2.dll 2.30.0.0)
No writeups or analysis indexed.
http://secunia.com/advisories/32236http://www.kb.cert.org/vuls/id/166651http://www.sec-consult.com/files/20081016-0_sysreqlab.txthttp://www.securityfocus.com/archive/1/497400http://www.securityfocus.com/bid/31752http://www.systemrequirementslab.com/bulletins/security_bulletin_1.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/45873http://secunia.com/advisories/32236http://www.kb.cert.org/vuls/id/166651http://www.sec-consult.com/files/20081016-0_sysreqlab.txthttp://www.securityfocus.com/archive/1/497400http://www.securityfocus.com/bid/31752http://www.systemrequirementslab.com/bulletins/security_bulletin_1.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/45873
2008-10-14
Published