cbcvebase.
CVE-2008-5492
published 2008-12-12

CVE-2008-5492: Heap-based buffer overflow in the PDFVIEW.PdfviewCtrl.1 ActiveX control in pdfview.ocx 2.0.0.1 in VeryDOC PDF Viewer OCX Control allows remote attackers to…

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.27%
98.2th percentile
Heap-based buffer overflow in the PDFVIEW.PdfviewCtrl.1 ActiveX control in pdfview.ocx 2.0.0.1 in VeryDOC PDF Viewer OCX Control allows remote attackers to execute arbitrary code via a long first argument to the OpenPDF method. NOTE: some of these details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
verypdfverydoc_pdf_viewer

Detection & IOCsextracted from sources · hover to see the quote

filenamepdfview.ocx
otherPDFVIEW.PdfviewCtrl.1
commandtarget.OpenPDF buff, 1, 1
other0x0c0c0c0c
  • Trigger condition is a string of 1006 or more characters passed as the first argument to the OpenPDF method of the PDFVIEW.PdfviewCtrl.1 ActiveX control; monitor ActiveX method calls to OpenPDF with oversized first arguments.
  • Metasploit exploit uses a heap-spray technique targeting return address 0x0c0c0c0c on Windows XP SP0-SP3 / Vista with IE 6.0 SP0-SP2 / IE 7; detect heap spray patterns filling memory with NOP sleds toward 0x0c0c0c0c.
  • Payload bad characters are limited to null bytes only (\x00), meaning shellcode in exploit traffic will contain all non-null bytes; IDS rules should flag large non-null shellcode blobs delivered via browser to pdfview.ocx.
  • The Metasploit module uses JavaScript unescape() heap spray to position shellcode; look for HTML pages instantiating PDFVIEW.PdfviewCtrl.1 combined with large unescape() loops in embedded script.
  • ·The vulnerable file version is specifically pdfview.ocx 2.0.0.1; detections should be scoped to this version to avoid false positives on other releases.
  • ·The Metasploit module sets EXITFUNC to 'process', meaning the exploit process terminates after payload execution; post-exploitation forensics should account for short-lived parent browser processes.
  • ·Payload space is constrained to 1024 bytes; staged or large payloads will not fit and the exploit will fail, so detection should not rely solely on large second-stage downloads.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.