what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

EEYEB-20050915.txt

EEYEB-20050915.txt
Posted Oct 12, 2005
Authored by eEye | Site eeye.com

eEye Security Advisory - eEye Digital Security has discovered a vulnerability in the way a Microsoft Design Tools COM object allocates and uses heap memory. An attacker could design a web page or HTML document that exploits the vulnerability in order to execute arbitrary code on the system of a user who views it.

tags | advisory, web, arbitrary
advisories | CVE-2005-2127
SHA-256 | b4712c870bdcac60468002316153f70a792b81b9fe6c673800af6b3c5d03b1bd

EEYEB-20050915.txt

Change Mirror Download
MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability

Release Date:
October 11, 2005

Date Reported:
September 15, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Internet Explorer 5 SP4
Internet Explorer 5.5 SP2 - Windows ME
Internet Explorer 6 SP1 - All Windows Operating Systems
Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1
Internet Explorer 6 - Windows XP SP2

eEye ID#: EEYEB20050915
OSVDB ID#: 2692
CVE #: CAN-2005-2127

Overview:
eEye Digital Security has discovered a vulnerability in the way a
Microsoft Design Tools COM object allocates and uses heap memory. An
attacker could design a web page or HTML document that exploits the
vulnerability in order to execute arbitrary code on the system of a user
who views it.

Technical Details:
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in
MDT2DD.DLL) allocates memory by calling the function CCUMemMgr::Alloc
exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr
which is also exported by the same. CCUMemMgr::Alloc allocates heap
memory using HeapAlloc, and will initialize its contents to zeroes if a
flag within the class instance is set; however, in this particular case,
the flag is clear within g_cumgr, so the heap blocks allocated are not
filled with zeroes and therefore retain their prior contents.

This condition causes assumptions within MDT2DD.DLL to be violated in at
least one exploitable case. The function "ATL::CComCreator<class
ATL::CComPolyObject<class CPolyCtrl>>::CreateInstance" calls
g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if
its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl
destructor is invoked and attempts to retrieve a pointer to a function
table from offset +0x98 within the heap block. At this point, that
field has not been initialized, so the destructor code can be made to
dereference an attacker-supplied pointer and transfer execution to an
arbitrary address.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and write the advisory,
greetz xfocus and venus-tech lab's guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close