cbcvebase.
CVE-2010-0679
published 2010-02-22

CVE-2010-0679: Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ActiveX control (HyleosChemView.ocx) in Hyleos ChemView 1.9.5.1 allow remote attackers…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.13%
98.2th percentile
Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ActiveX control (HyleosChemView.ocx) in Hyleos ChemView 1.9.5.1 allow remote attackers to execute arbitrary code via a large number of white space characters in the filename argument to the (1) SaveasMolFile and (2) ReadMolFile methods.

Affected

1 ranges
VendorProductVersion rangeFixed in
hyleoschemview

Detection & IOCsextracted from sources · hover to see the quote

filenameHyleosChemView.ocx
otherCLSID: C372350A-1D5A-44DC-A759-767FC553D96C
otherProgID: HyleosChemView.HLChemView
commandSaveAsMolFile(<overly long argument>)
commandReadMolFile(<overly long argument>)
otherHeap spray return address: 0x0A0A0A0A
  • Detect instantiation of the vulnerable ActiveX control by its CLSID (C372350A-1D5A-44DC-A759-767FC553D96C) or ProgID (HyleosChemView.HLChemView) in HTML/script content delivered over HTTP.
  • Alert on calls to the SaveAsMolFile or ReadMolFile methods of HyleosChemView.HLChemView with arguments containing large quantities of whitespace characters (spaces/tabs), indicative of buffer-overflow padding.
  • Heap spray detection: look for repeated occurrences of the byte sequence 0x0A0A0A0A in memory or network traffic, used as the return address for the heap spray targeting this vulnerability.
  • Detect JavaScript heap spray patterns (large while-loop NOP sled construction using unescape()) in HTML pages that also reference the HyleosChemView ActiveX CLSID or ProgID.
  • ·The vulnerable ActiveX control's base address varies between installations, making ROP/return-address targeting unreliable without heap spray; defenders should not rely solely on static return-address signatures.
  • ·The null byte (0x00) is a bad character for the payload; payloads containing null bytes will be truncated and the exploit will fail — encoders must avoid this byte.
  • ·The file-format variant of the exploit also treats 0x0a and 0x20 (newline and space) as bad characters, further constraining payload encoding in that attack vector.
  • ·The exploit targets only Windows XP SP0–SP3 with IE 6.0 SP0-2 and IE 7.0; other OS/browser combinations are not covered by the known public exploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.