CVE-2009-0215
published 2009-03-25CVE-2009-0215: Stack-based buffer overflow in the GetXMLValue method in the IBM Access Support ActiveX control in IbmEgath.dll, as distributed on IBM and Lenovo computers…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.31%
98.3th percentile
Stack-based buffer overflow in the GetXMLValue method in the IBM Access Support ActiveX control in IbmEgath.dll, as distributed on IBM and Lenovo computers, allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | access_support_activex_control | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for instantiation of the ActiveX ProgID 'IbmEgath.IbmEgathCtl.1' in browser processes, which is the vulnerable control targeted by this exploit. ↗
- →Detect heap spray patterns targeting address 0x0a0a0a0a with large allocation size (0x40000) in browser memory, characteristic of this exploit's shellcode delivery. ↗
- →Look for overly long string arguments passed to the GetXMLValue method of IbmEgath.dll, indicative of the stack buffer overflow exploitation attempt. ↗
- →The exploit targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7; prioritize detection on these platform/browser combinations. ↗
- ·The Metasploit module uses JavaScript obfuscation (ObfuscateJS) with randomized variable names and random English fill text, meaning static string-based signatures on variable names will not reliably detect all variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IBM Access Support - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-0215 IBM Access Support - ActiveX Control Buffer Overflow (Metasploit)
IBM Access Support - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: ibmegath_getxmlvalue.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IBM Access Support ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in IBM Access Support. When
sending an overly long string to the GetXMLValue() method of IbmEgath.dll
(3.20.284.0) an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision
Metasploit
IBM Access Support ActiveX Control Buffer Overflow
metasploit
IBM Access Support ActiveX Control Buffer Overflow
IBM Access Support ActiveX Control Buffer Overflow
This module exploits a stack buffer overflow in IBM Access Support. When sending an overly long string to the GetXMLValue() method of IbmEgath.dll (3.20.284.0) an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://osvdb.org/52958http://secunia.com/advisories/34470http://www.kb.cert.org/vuls/id/340420http://www.securityfocus.com/bid/34228http://www.vupen.com/english/advisories/2009/0824https://exchange.xforce.ibmcloud.com/vulnerabilities/49409http://osvdb.org/52958http://secunia.com/advisories/34470http://www.kb.cert.org/vuls/id/340420http://www.securityfocus.com/bid/34228http://www.vupen.com/english/advisories/2009/0824https://exchange.xforce.ibmcloud.com/vulnerabilities/49409
2009-03-25
Published