cbcvebase.
CVE-2008-5711
published 2008-12-24

CVE-2008-5711: Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.70%
98.1th percentile
Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long FileMask property value.

Affected

2 ranges
VendorProductVersion rangeFixed in
facebookphotouploader<= 5.0.14.0
facebookphotouploader

Detection & IOCsextracted from sources · hover to see the quote

filenameImageUploader4.ocx
versionImageUploader4.ocx 4.5.57.0
versionFacebook PhotoUploader 5.0.14.0
other0x0d0d0d0d
other0x74c9de3e
commandExtractIptc()
bytes
%u0D0D%u0D0D%u9090%u9090
bytes
0x969606eb
  • Detect heap spray targeting address 0x0d0d0d0d via repeated %u0D0D%u0D0D unescape patterns in browser JavaScript, indicative of exploitation of the Facebook PhotoUploader ActiveX control.
  • Monitor for instantiation of the ImageUploader4.ocx ActiveX control in Internet Explorer, particularly invocations of the ExtractIptc() method or setting of the FileMask property with long strings.
  • The Metasploit module uses oleacc.dll SEH handler at 0x74c9de3e as the return address on IE 6 SP0-SP2 / Windows XP SP2; look for ROP/SEH overwrites targeting this address.
  • Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash; payloads avoiding these characters in ActiveX property values should be treated as suspicious.
  • ·The Metasploit module targets only IE 6 SP0-SP2 on Windows XP SP2 Pro English; the hardcoded return address (0x74c9de3e from oleacc.dll) is version-specific and will not work on other OS/browser combinations.
  • ·The NVD description references the FileMask property as the overflow vector for version 5.0.14.0, while the Metasploit module and exploit-db PoC target the ExtractIptc() method in ImageUploader4.ocx 4.5.57.0; these are distinct attack vectors across two different control versions.
  • ·The exploit payload space is limited to 800 bytes with a stack adjustment of -3500, constraining the size and type of shellcode that can be delivered.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.