CVE-2008-4385

Systemrequirementslab System Requirements Lab - Code Injection

Title source: rule

Description

Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init method in (1) a certain ActiveX control (sysreqlab2.cab, sysreqlab.dll, sysreqlabsli.dll, or sysreqlab2.dll) and (2) a certain Java applet in RLApplet.class in sysreqlab2.jar or sysreqlab.jar.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/16552

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by MC · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb

View Code ZIP pw:eip

References (7)

[Vendor Advisory] http://secunia.com/advisories/32236

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/166651

[Various Sources] http://www.sec-consult.com/files/20081016-0_sysreqlab.txt

[Vendor Advisory] http://www.systemrequirementslab.com/bulletins/security_bulletin_1.html

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/45873

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/497400

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/31752

Scores

EPSS 0.7188

EPSS Percentile 98.7%

Details

CWE

CWE-94

Status published

Products (1)

systemrequirementslab/system_requirements_lab 3

Published Oct 14, 2008

Tracked Since Feb 18, 2026