MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability Release Date: October 11, 2005 Date Reported: September 15, 2005 Severity: High (Code Execution) Vendor: Microsoft Systems Affected: Internet Explorer 5 SP4 Internet Explorer 5.5 SP2 - Windows ME Internet Explorer 6 SP1 - All Windows Operating Systems Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1 Internet Explorer 6 - Windows XP SP2 eEye ID#: EEYEB20050915 OSVDB ID#: 2692 CVE #: CAN-2005-2127 Overview: eEye Digital Security has discovered a vulnerability in the way a Microsoft Design Tools COM object allocates and uses heap memory. An attacker could design a web page or HTML document that exploits the vulnerability in order to execute arbitrary code on the system of a user who views it. Technical Details: The Microsoft Design Tools PolyLine Control 2 COM object (hosted in MDT2DD.DLL) allocates memory by calling the function CCUMemMgr::Alloc exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr which is also exported by the same. CCUMemMgr::Alloc allocates heap memory using HeapAlloc, and will initialize its contents to zeroes if a flag within the class instance is set; however, in this particular case, the flag is clear within g_cumgr, so the heap blocks allocated are not filled with zeroes and therefore retain their prior contents. This condition causes assumptions within MDT2DD.DLL to be violated in at least one exploitable case. The function "ATL::CComCreator<class ATL::CComPolyObject<class CPolyCtrl>>::CreateInstance" calls g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl destructor is invoked and attempts to retrieve a pointer to a function table from offset +0x98 within the heap block. At this point, that field has not been initialized, so the destructor code can be made to dereference an attacker-supplied pointer and transfer execution to an arbitrary address. Protection: Retina, Network Security Scanner, has been updated to be able to identify this vulnerability. For more information on Retina visit: http://www.eEye.com/Retina Blink, Endpoint Vulnerability Prevention, already provides protection from attacks based on this vulnerability. For more information on Blink visit: http://www.eEye.com/Blink Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx Credit: Fang Xing Greetings: Thanks Derek and eEye guys help me analyze and write the advisory, greetz xfocus and venus-tech lab's guys. Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.