cbcvebase.
CVE-2009-0215
published 2009-03-25

CVE-2009-0215: Stack-based buffer overflow in the GetXMLValue method in the IBM Access Support ActiveX control in IbmEgath.dll, as distributed on IBM and Lenovo computers…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.31%
98.3th percentile
Stack-based buffer overflow in the GetXMLValue method in the IBM Access Support ActiveX control in IbmEgath.dll, as distributed on IBM and Lenovo computers, allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
ibmaccess_support_activex_control

Detection & IOCsextracted from sources · hover to see the quote

filenameIbmEgath.dll
versionIbmEgath.dll 3.20.284.0
otherActiveXObject('IbmEgath.IbmEgathCtl.1')
commandGetXMLValue()
  • Monitor for instantiation of the ActiveX ProgID 'IbmEgath.IbmEgathCtl.1' in browser processes, which is the vulnerable control targeted by this exploit.
  • Detect heap spray patterns targeting address 0x0a0a0a0a with large allocation size (0x40000) in browser memory, characteristic of this exploit's shellcode delivery.
  • Look for overly long string arguments passed to the GetXMLValue method of IbmEgath.dll, indicative of the stack buffer overflow exploitation attempt.
  • The exploit targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7; prioritize detection on these platform/browser combinations.
  • ·The Metasploit module uses JavaScript obfuscation (ObfuscateJS) with randomized variable names and random English fill text, meaning static string-based signatures on variable names will not reliably detect all variants.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.