CVE-2008-5492
published 2008-12-12CVE-2008-5492: Heap-based buffer overflow in the PDFVIEW.PdfviewCtrl.1 ActiveX control in pdfview.ocx 2.0.0.1 in VeryDOC PDF Viewer OCX Control allows remote attackers to…
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.27%
98.2th percentile
Heap-based buffer overflow in the PDFVIEW.PdfviewCtrl.1 ActiveX control in pdfview.ocx 2.0.0.1 in VeryDOC PDF Viewer OCX Control allows remote attackers to execute arbitrary code via a long first argument to the OpenPDF method. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| verypdf | verydoc_pdf_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is a string of 1006 or more characters passed as the first argument to the OpenPDF method of the PDFVIEW.PdfviewCtrl.1 ActiveX control; monitor ActiveX method calls to OpenPDF with oversized first arguments. ↗
- →Metasploit exploit uses a heap-spray technique targeting return address 0x0c0c0c0c on Windows XP SP0-SP3 / Vista with IE 6.0 SP0-SP2 / IE 7; detect heap spray patterns filling memory with NOP sleds toward 0x0c0c0c0c. ↗
- →Payload bad characters are limited to null bytes only (\x00), meaning shellcode in exploit traffic will contain all non-null bytes; IDS rules should flag large non-null shellcode blobs delivered via browser to pdfview.ocx. ↗
- →The Metasploit module uses JavaScript unescape() heap spray to position shellcode; look for HTML pages instantiating PDFVIEW.PdfviewCtrl.1 combined with large unescape() loops in embedded script. ↗
- ·The vulnerable file version is specifically pdfview.ocx 2.0.0.1; detections should be scoped to this version to avoid false positives on other releases. ↗
- ·The Metasploit module sets EXITFUNC to 'process', meaning the exploit process terminates after payload execution; post-exploitation forensics should account for short-lived parent browser processes. ↗
- ·Payload space is constrained to 1024 bytes; staged or large payloads will not fit and the exploit will fail, so detection should not rely solely on large second-stage downloads. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2008-5492 VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (Metasploit)
VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (Metasploit)
---
##
# $Id: verypdf_pdfview.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow',
'Description' => %q{
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow
because it fails to properly bounds-check user-supplied data before copying
it into an insufficiently sized memory buffer. An attacker can exploit this issue
to execute arbitrary code within the context of the affected ap
Exploit-DB
VeryPDF PDFView - ActiveX Component Heap Buffer Overflow
exploitdb·2008-11-15
CVE-2008-5492 VeryPDF PDFView - ActiveX Component Heap Buffer Overflow
VeryPDF PDFView - ActiveX Component Heap Buffer Overflow
---
source: https://www.securityfocus.com/bid/32313/info
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
Sub Boom buff = String(1006, "A") target.OpenPDF buff, 1, 1 End Sub
Exploit-DB
VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (PoC)
exploitdb·2008-11-15
CVE-2008-5492 VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (PoC)
VeryPDF PDFView - OCX ActiveX OpenPDF Heap Overflow (PoC)
---
Sub Boom
buff = String(1006, "A")
target.OpenPDF buff, 1, 1
End Sub
# milw0rm.com [2008-11-15]
Metasploit
VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
metasploit
VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow
The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application.
No writeups or analysis indexed.
http://secunia.com/advisories/32725http://securityreason.com/securityalert/4715http://www.bmgsec.com.au/advisories/openpdf.txthttp://www.securityfocus.com/bid/32313https://exchange.xforce.ibmcloud.com/vulnerabilities/46622https://www.exploit-db.com/exploits/7126http://secunia.com/advisories/32725http://securityreason.com/securityalert/4715http://www.bmgsec.com.au/advisories/openpdf.txthttp://www.securityfocus.com/bid/32313https://exchange.xforce.ibmcloud.com/vulnerabilities/46622https://www.exploit-db.com/exploits/7126
2008-12-12
Published