Vulnerability CVE-2006-5559


Published: 2006-10-27   Modified: 2012-02-12

Description:
The Execute method in the ADODB.Connection 2.7 and 2.8 ActiveX control objects (ADODB.Connection.2.7 and ADODB.Connection.2.8) in the Microsoft Data Access Components (MDAC) 2.5 SP3, 2.7 SP1, 2.8, and 2.8 SP1 does not properly track freed memory when the second argument is a BSTR, which allows remote attackers to cause a denial of service (Internet Explorer crash) and possibly execute arbitrary code via certain strings in the second and third arguments.

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Microsoft -> Data access components 

 References:
http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx
http://research.eeye.com/html/alerts/zeroday/20061027.html
http://securitytracker.com/id?1017127
http://www.kb.cert.org/vuls/id/589272
http://www.securityfocus.com/bid/20704
http://www.us-cert.gov/cas/techalerts/TA07-044A.html
http://www.vupen.com/english/advisories/2007/0578
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-009
https://exchange.xforce.ibmcloud.com/vulnerabilities/29837
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A214

Copyright 2021, cxsecurity.com

 

Back to Top