cbcvebase.
CVE-2008-5002
published 2008-11-10

CVE-2008-5002: Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 ActiveX control (ChilkatCrypt2.dll 4.3.2.1) in Chilkat Crypt ActiveX Component allows remote…

PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
40.66%
98.5th percentile
Insecure method vulnerability in the ChilkatCrypt2.ChilkatCrypt2.1 ActiveX control (ChilkatCrypt2.dll 4.3.2.1) in Chilkat Crypt ActiveX Component allows remote attackers to create and overwrite arbitrary files via the WriteFile method. NOTE: this could be leveraged for code execution by creating executable files in Startup folders or by accessing files using hcp:// URLs. NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
chilkat_softwarechilkat_crypt_activex_control

Detection & IOCsextracted from sources · hover to see the quote

filenameChilkatCrypt2.dll
otherCLSID: {3352B5B9-82E8-4FFD-9EB1-1A3E60056904}
pathC:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\msinfo.htm
pathC:\WINDOWS\PCHealth\HelpCtr\System\sysinfo
commandhcp://system/sysinfo/msinfo.htm
commandcompatUI.RunApplication 1, "C:\HelloWorld.exe", 1
otherActiveXObject("ChilkatCrypt2.ChilkatCrypt2")
versionChilkatCrypt2.dll 4.3.2.1
  • Detect instantiation of the vulnerable ActiveX control by ProgID 'ChilkatCrypt2.ChilkatCrypt2.1' or CLSID {3352B5B9-82E8-4FFD-9EB1-1A3E60056904} in browser script
  • Monitor for WriteFile method calls from ChilkatCrypt2 ActiveX writing files to Startup folders or to C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\
  • Alert on hcp:// protocol URI usage following ActiveX WriteFile activity, as the exploit chain uses hcp:// to trigger execution of the dropped payload
  • Detect creation of .htm files in C:\WINDOWS\PCHEALTH\HELPCTR\System\sysinfo\ by browser processes, which is the staging path used by the exploit
  • Flag use of compatUI.dll's RunApplication method from HCP context, as this is the execution primitive used to launch the dropped payload
  • ·Exploit requires victim to be browsing as Administrator; it will not work on newer versions of Windows beyond XP
  • ·The vulnerability was unpatched at the time of the Metasploit module writing; the latest version at that time was ChilkatCrypt2.DLL 4.4.4.0, so version checks should account for all versions up to and including 4.4.4.0
  • ·The HCP filename used in the Metasploit module is hardcoded to 'msinfo' as other names do not work for the hcp:// execution chain
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.