cbcvebase.
CVE-2009-1260
published 2009-04-07

CVE-2009-1260: Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code…

PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.67%
98.5th percentile
Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted (1) CCD or (2) IMG file.

Affected

54 ranges· showing 25
VendorProductVersion rangeFixed in
ezbsystemsultraiso<= 9.3.3
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso
ezbsystemsultraiso

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.ccd
registry0x00403856
registry0x10011640
otherSEH offset 4094 bytes into INDEX 1= field of .CCD file
otherSEH offsets [5066, 5158] bytes into INDEX 1= field of .CCD file
bytes
BadChars: \x00\x08\x0a\x0d\x20
  • Malicious .CCD file must be accompanied by a same-basename .IMG file; both files must exist on disk for the vulnerability to trigger. Detect pairs of .CCD/.IMG files with oversized INDEX 1= lines (>4094 bytes).
  • The overflow occurs in the INDEX 1= field of the [TRACK 1] section of a .CCD file. A payload-carrying INDEX 1= value of ~9000+ bytes (rand_text_alphanumeric(1000) * 9) is a strong indicator of exploitation.
  • SEH-based exploitation uses a pop/pop/ret gadget at 0x00403856 inside UltraISO.exe (double-click/command-line open method) or 0x10011640 in lame_enc.dll (File->Open method). Monitor for SEH chain overwrites pointing to these addresses in UltraISO process memory.
  • Payload space is 2048 bytes with bad characters \x00\x08\x0a\x0d\x20 excluded; shellcode will be placed at the beginning of the oversized INDEX 1= value. Scan .CCD files for non-printable/high-entropy content in the INDEX 1= field.
  • Affected versions are UltraISO 9.3.3.2685 and 9.3.6.2750. Presence of these versions combined with .CCD/.IMG file open events should be flagged.
  • ·The lame_enc.dll ROP gadget (0x10011640) is only loaded when UltraISO opens a file via File->Open or toolbar; it is NOT present when opening via double-click or command line. Target selection must match the open method.
  • ·System DLLs cannot be used for the SEH return address due to Safe SEH enforcement on the platform; only module-specific gadgets (UltraISO.exe, lame_enc.dll) are viable.
  • ·The UltraISO.exe base address contains a null byte bad character, preventing use of the multi-offset SEH exploitation method for the double-click/command-line target.
  • ·The IMG file variant (OSVDB 53425) does not appear to independently trigger a vulnerability; the .CCD file is the primary attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.