|
|
|
|
| |
| Microsoft Local Troubleshooter is an ActiveX control that is not very well documented, it is usually used by Microsoft Windows's trouble shooting help. This control is installed by default under the Windows 2000 operating systems. When one of its methods is called with a long string a buffer overflow occurs, this overflow can be used by attacker to cause it to execute arbitrary code. |
| |
Credit:
The information has been provided by Cesar.
|
| |
This ActiveX control has a few methods and properties. One of the methods called "RunQuery2" has a buffer overflow when it is called with a long string in first parameter.
To reproduce the overflow just copy-and-paste the following:
------sample.htm-----------
< object id="test" classid="CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF"> </object>
< script> test.RunQuery2("longstringhere","","");
</script>
---------------------------
Microsoft Local Troubleshooter ActiveX control is marked as safe for scripting and initialization, so the above sample will run without being blocked (in default Internet Explorer security configuration).
This vulnerability can be exploited through XSS, sending to a victim an HTML e-mail, or social engineering a user to open an HTML page specially constructed. Exploitation of this vulnerability could allow an attacker to execute code of his choice in the victim computer.
Vendor Status:
Microsoft released a fix.
For a patch see:
http://www.securiteam.com/windowsntfocus/6K00D1P8KG.html
|
|
|
|
|
|
|
