cbcvebase.
CVE-2009-3958
published 2010-01-13

CVE-2009-3958: Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
52.59%
98.8th percentile
Multiple stack-based buffer overflows in the NOS Microsystems getPlus Helper ActiveX control before 1.6.2.49 in gp.ocx in the Download Manager in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow remote attackers to execute arbitrary code via unspecified initialization parameters.

Affected

97 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat<= 9.2
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat

Detection & IOCsextracted from sources · hover to see the quote

otherE2883E8F-472F-4fb0-9522-AC9BF37916A7
filenamegp.ocx
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; content:"offer-"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; classtype:attempted-user; sid:2010665; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, cve CVE_2009_3958, deployment Perimeter, confidence High, signature_severity Major, tag ActiveX, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect exploit attempts by matching the vulnerable ActiveX CLSID (E2883E8F-472F-4fb0-9522-AC9BF37916A7) combined with 'offer-' keyword and one of the initialization parameter values: ineligible, preinstalled, declined, or accepted — all within a classid attribute in HTTP response traffic.
  • Traffic direction for this exploit is inbound to the client (established,to_client) over HTTP ports, consistent with a drive-by / client-side exploitation scenario.
  • The vulnerable component is the NOS Microsystems getPlus Helper ActiveX control (gp.ocx) version 1.6.2.48 and earlier; presence of this file on a Windows host indicates exposure.
  • ·The exact initialization parameters that trigger the overflow are unspecified; the Snort/ET rule uses known 'offer-*' parameter values as a heuristic proxy, so detection coverage may be incomplete.
  • ·The vulnerability affects both Windows and Mac OS X, but the ET Snort rule metadata scopes affected products to Windows only (Windows_XP_Vista_7_8_10_Server_32_64_Bit); Mac OS X hosts may not be covered by this rule.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.