Vulnerabilities > CVE-2007-0018 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x.

Vulnerable Configurations

Part	Description	Count
Application	Altdo Altdo Convert MP3 Master 1.1 Altdo MP3 Record AND Edit Audio Master 1.2	2
Application	Americanshareware Americanshareware MP3 WAV Converter 3.1.8	1
Application	Audio_Edit_Magic Audio Edit Magic Audio Edit Magic 9.2.3_389	1
Application	Bearshare Bearshare Bearshare 6.0.2.26789	1
Application	Cdburnerxp Cdburnerxp Cdburnerxp PRO 3.0.116	1
Application	Cheetahburner Cheetahburner Cheetah CD Burner 3.56 Cheetahburner Cheetah DVD Burner 1.79	2
Application	Code-It_Softare Code IT Softare Abasic Editor 10.1 Code IT Softare Wave MP3 Editor 10.1	2
Application	Dandans_Digital_Media_Products Dandans Digital Media Products Easy Audio Editor 7.4 Dandans Digital Media Products Full Audio Converter 4.2 Dandans Digital Media Products Music Editing Master 5.2 Dandans Digital Media Products Visual Video Converter 4.4	4
Application	Digital_Borneo Digital Borneo Audio Mixer AND Editor 1.1.0	1
Application	Easy_Ringtone_Maker Easy Ringtone Maker Easy Ringtone Maker 2.0.5	1
Application	Expstudio Expstudio Audio Editor 4.0.2	1
Application	Iaudiosoft.Com Iaudiosoft.Com Absolute MP3 Splitter 2.5.4 Iaudiosoft.Com Absolute Sound Recorder 3.4.5 Iaudiosoft.Com Absolute Video TO Audio Converter 2.7.9	3
Application	Imesh.Com Imesh.Com Imesh 7.0.2.26789	1
Application	J_Hepple_Products J Hepple Products FX Audio Concat 1.2.0_Beta J Hepple Products FX Audio Editor 4.7.11 J Hepple Products FX Audio Tools 7.3.4 J Hepple Products FX Magic Music 5.7.7 J Hepple Products FX Movie Joiner 6.2.8 J Hepple Products FX Movie Joiner AND Splitter 6.2.8 J Hepple Products FX Movie Splitter 6.4.7 J Hepple Products FX NEW Sound 5.1.1 J Hepple Products FX Video Converter 7.51.21	9
Application	Joshua_Mediasoft Joshua Mediasoft Audio Convertor Plus 2.2 Joshua Mediasoft Video Converter Plus 3.01	2
Application	Magicvideosoftare Magicvideosoftare Magic Audio Converter 8.2.6_Build_719 Magicvideosoftare Magic Audio Recorder 5.3.7 Magicvideosoftare Magic Music Editor 5.2.2	3
Application	Mcfunsoft Mcfunsoft Audio Editor 6.3.3_Build_489 Mcfunsoft Audio Recorder FOR Free 6.1 Mcfunsoft Audio Studio 6.6.3_Build_479 Mcfunsoft Ipod Audio Studio 6.2.4 Mcfunsoft Ipod Music Converter 5.1 Mcfunsoft Recording TO Ipod Solution 5.1	6
Application	Mediatox Mediatox Aurora Media Workshop 3.3.25	1
Application	Movavi Movavi Chiliburner 2.3 Movavi Convertmovie 4.4 Movavi DVD TO Ipod 1.0 Movavi Splitmovie 1.4 Movavi Suite 3.5 Movavi Videomessage 1.0	6
Application	Mp3-Soft MP3 Soft MP3 Normalizer 1.03	1
Application	Mystik_Media_Products Mystik Media Products Audioedit Deluxe 4.10 Mystik Media Products Blaze Media PRO 7.0 Mystik Media Products Blaze Mediaconvert 3.4 Mystik Media Products Contextconvert PRO 3.1	4
Application	Nctsoft_Products Nctsoft Products Nctaudioeditor 2.7.1 Nctsoft Products Nctaudiofile2 * Nctsoft Products Nctaudiostudio 2.7.1 Nctsoft Products Nctdialogicvoice 2.7.1	4
Application	Nextlevel_Systems Nextlevel Systems Audio Editor Gold 9.2.5_Build_424 Nextlevel Systems Audio Studio Gold 7.0.1.1_Build_500	2
Application	Quikscribe Quikscribe Quikscribe Player 5.022.05 Quikscribe Quikscribe Recorder 5.021.29	2
Application	Recordnrip Recordnrip Recordnrip 1.0	1
Application	Rmbsoft Rmbsoft Audioconvert 3.1.0.125 Rmbsoft Soundedit PRO 2.1	2
Application	Roemer_Software Roemer Software Easy HI Q Converter 1.7 Roemer Software Easy HI Q Recorder 2.0 Roemer Software Free HI Q Recorder 1.9	3
Application	Sienzo Sienzo Digital Music Mentor 2.6.0.3	1
Application	Smart_Media_Systems Smart Media Systems Power Audio Editor 11.0.1	1
Application	Softdiv_Softare Softdiv Softare Dexster 3.0 Softdiv Softare Ivideomax 3.9 Softdiv Softare MP3 TO WAV Converter 3.0 Softdiv Softare Snosh 1.4 Softdiv Softare Videozilla 2.5	5
Application	Virtual_Cd Virtual CD Virtual CD 6.0.0.7 Virtual CD Virtual CD 7.1.0.2 Virtual CD Virtual CD 8.0.0.6 Virtual CD Virtual CD File Server 7.1.0.3	4
Application	Xrlly_Software Xrlly Software Arial Audio Converter 2.3.40 Xrlly Software Arial Sound Recorder 1.4.3 Xrlly Software Text TO Speech Maker 1.3.8	3
Application	Xwaver.Com Xwaver.Com Magic Audio Editor PRO 10.3.1_Build_476 Xwaver.Com Magic Music Studio PRO 7.0.2.1_Build_500	2

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

description	IE NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2. CVE-2007-0018. Remote exploit for windows platform
id	EDB-ID:3808
last seen	2016-01-31
modified	2007-04-27
published	2007-04-27
reporter	shinnai
source	https://www.exploit-db.com/download/3808/
title	Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Stack Overflow Exploit 2

description	NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow. CVE-2007-0018. Remote exploit for windows platform
id	EDB-ID:16603
last seen	2016-02-02
modified	2010-07-03
published	2010-07-03
reporter	metasploit
source	https://www.exploit-db.com/download/16603/
title	NCTAudioFile2 2.x - ActiveX Control SetFormatLikeSample Buffer Overflow

description	IE NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit. CVE-2007-0018. Remote exploit for windows platform
id	EDB-ID:3728
last seen	2016-01-31
modified	2007-04-13
published	2007-04-13
reporter	InTeL
source	https://www.exploit-db.com/download/3728/
title	Microsoft Internet Explorer - NCTAudioFile2.AudioFile ActiveX Remote Overflow Exploit

Metasploit

description	This module exploits a stack buffer overflow in the NCTAudioFile2.Audio ActiveX Control provided by various audio applications. By sending an overly long string to the "SetFormatLikeSample()" method, an attacker may be able to execute arbitrary code.
id	MSF:EXPLOIT/WINDOWS/BROWSER/NCTAUDIOFILE2_SETFORMATLIKESAMPLE
last seen	2020-02-29
modified	2017-07-24
published	2009-12-14
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0018
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb
title	NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow

Packetstorm

data source	https://packetstormsecurity.com/files/download/83184/bearshare_setformatlikesample.rb.txt
id	PACKETSTORM:83184
last seen	2016-12-05
published	2009-11-26
reporter	MC
source	https://packetstormsecurity.com/files/83184/BearShare-6-ActiveX-Control-Buffer-Overflow.html
title	BearShare 6 ActiveX Control Buffer Overflow

data source	https://packetstormsecurity.com/files/download/84571/nctaudiofile2_setformatlikesample.rb.txt
id	PACKETSTORM:84571
last seen	2016-12-05
published	2009-12-31
reporter	MC
source	https://packetstormsecurity.com/files/84571/NCTAudioFile2-v2.x-ActiveX-Control-SetFormatLikeSample-Buffer-Overflow.html
title	NCTAudioFile2 v2.x ActiveX Control SetFormatLikeSample() Buffer Overflow

Summary