MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability

Release Date:
October 11, 2005

Date Reported:
September 15, 2005

Severity:
High (Code Execution)

Vendor:
Microsoft

Systems Affected:
Internet Explorer 5 SP4
Internet Explorer 5.5 SP2 - Windows ME
Internet Explorer 6 SP1 - All Windows Operating Systems
Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1
Internet Explorer 6 - Windows XP SP2

eEye ID#:  EEYEB20050915
OSVDB ID#: 2692
CVE #:  CAN-2005-2127

Overview:
eEye Digital Security has discovered a vulnerability in the way a
Microsoft Design Tools COM object allocates and uses heap memory.  An
attacker could design a web page or HTML document that exploits the
vulnerability in order to execute arbitrary code on the system of a user
who views it.

Technical Details:
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in
MDT2DD.DLL) allocates memory by calling the function CCUMemMgr::Alloc
exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr
which is also exported by the same.  CCUMemMgr::Alloc allocates heap
memory using HeapAlloc, and will initialize its contents to zeroes if a
flag within the class instance is set; however, in this particular case,
the flag is clear within g_cumgr, so the heap blocks allocated are not
filled with zeroes and therefore retain their prior contents.

This condition causes assumptions within MDT2DD.DLL to be violated in at
least one exploitable case. The function "ATL::CComCreator<class
ATL::CComPolyObject<class CPolyCtrl>>::CreateInstance" calls
g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if
its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl
destructor is invoked and attempts to retrieve a pointer to a function
table from offset +0x98 within the heap block.  At this point, that
field has not been initialized, so the destructor code can be made to
dereference an attacker-supplied pointer and transfer execution to an
arbitrary address.

Protection:
Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: http://www.eEye.com/Retina 

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit: http://www.eEye.com/Blink

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx

Credit:
Fang Xing

Greetings:
Thanks Derek and eEye guys help me analyze and write the advisory,
greetz xfocus and venus-tech lab's guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.