exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

activeX.txt

activeX.txt
Posted Oct 16, 2003
Authored by Cesar Cerrudo

Security Advisory detailing original research from the Microsoft Local Troubleshooter ActiveX control buffer overflow that affects all versions of Microsoft Windows 2000.

tags | advisory, overflow, local, activex
systems | windows
SHA-256 | 3123057a0e33003e32d0c1dcbd81e7c68fe2683392807470c9f4cf6b670e203b

activeX.txt

Change Mirror Download
Security Advisory

Name: Microsoft Local Troubleshooter ActiveX control
buffer overflow.
System Affected : Microsoft Windows 2000 (all
versions).
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 10/16/03
Advisory Number: CC100309


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute
parts of it without the author's written permission.
You may NOT use it for commercial intentions
(this means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service,
etc.) without the author's written permission. You are
free to use Microsoft details
for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard
disclaimer applies, especially the fact that Cesar
Cerrudo is not liable for any damages caused
by direct or indirect use of the information or
functionality provided by this advisory.
Cesar Cerrudo bears no responsibility for content or
misuse of this advisory or any derivatives thereof.



Overview:

Microsoft Local Troubleshooter is an ActiveX control,
it's not documented what it does,
but doing some research it's possible find out that
the ActiveX control is used in Microsoft Windows
Troubleshooting help. This control is installed by
default in Windows 2000 operating systems. When one of
its methods is called with a long string a buffer
overflow occurrs.


Details:

This ActiveX control has a few methods and properties,
one of the methods called "RunQuery2" has
a buffer overflow when it's called with a long string
in first parameter.


To reproduce the overflow just copy-and-paste the
following:

------sample.htm-----------
<object id="test"
classid="CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF" >
</object>
<script>
test.RunQuery2("longstringhere","","");
</script>
---------------------------


Microsoft Local Troubleshooter ActiveX control is
marked as safe for scripting and initialization,
so the above sample will run without being blocked in
default Internet Explorer security configuration.

This vulnerability can be exploited through XSS,
sending to a victim an HTML e-mail,
or social engineering a user to open an HTML page
specially constructed. Explotation of this
vulnerability could allow an attacker to execute code
of his choice in the victim computer.



Vendor Status:

Microsoft was contacted, we worked together and
Microsoft released a fix.


Patch Available:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-042.asp



Thanks to: Jimmers and Brett Moore.


SQL SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Get advisories and vulnerabilities before!!!
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close