cbcvebase.
CVE-2009-4588
published 2010-01-07

CVE-2009-4588: Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control in WindsPly.ocx 3.5.0.0 Beta, 3.0.0.5, and earlier in AwingSoft Awakening Web3D Player…

PriorityP348critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.04%
98.1th percentile
Heap-based buffer overflow in the WindsPlayerIE.View.1 ActiveX control in WindsPly.ocx 3.5.0.0 Beta, 3.0.0.5, and earlier in AwingSoft Awakening Web3D Player and Winds3D Viewer allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long SceneUrl property value, a different vulnerability than CVE-2009-2386. NOTE: some of these details are obtained from third party information.

Affected

4 ranges
VendorProductVersion rangeFixed in
awingsoftawakening_winds3d_player
awingsoftawakening_winds3d_player
awingsoftawakening_winds3d_viewer
awingsoftawakening_winds3d_viewer

Detection & IOCsextracted from sources · hover to see the quote

filenameWindsPly.ocx
otherWindsPlayerIE.View.1
other0x0C0C0C0C
bytes
%00%00%01%00
  • Detect heap spray pattern: repeated 0x0C0C0C0C return address used in exploit targeting WindsPlayerIE.View.1 ActiveX control
  • Monitor for instantiation of the WindsPlayerIE.View.1 ActiveX CLSID/ProgID in browser contexts, especially with long SceneURL property values (offset 8984 bytes triggers overflow)
  • Payload bad characters for this exploit are null byte, tab, newline, carriage return, single quote, and backslash: \x00\x09\x0a\x0d'\ — shellcode in network traffic will avoid these bytes
  • PoC uses a buffer of 8704 'A' characters followed by 4 bytes 'bbbb' and escape sequence %00%00%01%00 to trigger the overflow in WindsPly.ocx SceneURL property
  • Exploit delivery is via HTML page with JavaScript heap spray; page uses http-equiv and javascript refresh methods to leave the page post-exploitation
  • ·Affected versions of WindsPly.ocx are 3.0.0.5, 3.5.0.0 Beta, and 3.6.0.0 Beta; the Metasploit module targets all Windows XP SP0-SP3 with IE 6.0 SP0-2 and IE 7.0
  • ·The Metasploit module sets EXITFUNC to 'process' and uses a StackAdjustment of -3500; payload space is limited to 1024 bytes
  • ·This is a different vulnerability from CVE-2009-2386, though both affect the same ActiveX control
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.