cbcvebase.
CVE-2009-1612
published 2009-05-11

CVE-2009-1612: Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
33.26%
98.2th percentile
Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via a long argument to the OnBeforeVideoDownload method, as exploited in the wild in April and May 2009. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 3.09.04.17 and earlier are also affected.

Affected

8 ranges
VendorProductVersion rangeFixed in
baofengstorm
baofengstorm
baofengstorm
baofengstorm
baofengstorm
baofengstorm
baofengstorm
baofengstorm

Detection & IOCsextracted from sources · hover to see the quote

filenamemps.dll
otherCLSID: 6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB
otherProgID: MPS.StormPlayer.1
commandOnBeforeVideoDownload
bytes
%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063
  • Detect instantiation of the vulnerable ActiveX control by its ProgID 'MPS.StormPlayer.1' or CLSID '6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB' in HTML/JavaScript, which is the attack vector for this exploit.
  • Monitor for overly long string arguments passed to the 'OnBeforeVideoDownload' method of the MPS.StormPlayer.1 ActiveX control; a stack-based buffer overflow is triggered by this oversized argument.
  • The exploit uses a heap spray targeting address 0x0c0c0c0c with a 0x40000-byte spray block; detect this characteristic heap spray pattern in browser memory or JavaScript.
  • Look for the NOP sled pattern '%u9090%u9090' used as heap spray padding in JavaScript exploiting this vulnerability.
  • The exploit payload uses 'calc.exe' (shellcode ends with %u63E7%u6C61%u0063) as a proof-of-concept; in-the-wild variants will substitute this with malicious shellcode in the same unescape() string.
  • ·Affected versions include mps.dll 3.9.4.27 and lower, as well as 3.09.04.17 and earlier per later reports; the Metasploit module targets Windows XP SP0-SP3 and Windows Vista with IE 6.0 SP0-SP2 and IE 7, but notes these targets are untested.
  • ·The Metasploit module's return address ('Ret') field is empty for the sole target, indicating the ROP/return gadget was not populated and the module may require additional configuration to be fully functional.
  • ·The exploit was observed in the wild in April and May 2009; later reporting extended the affected version range beyond the initially disclosed 3.9.4.27.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.