Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3430
HistoryAug 26, 2002 - 12:00 a.m.

Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)

2002-08-2600:00:00
vulners.com
20
JSON

NGSSoftware Insight Security Research Advisory

Name: Microsoft Internet Explorer BufferOverrun
Systems Affected: All versions IE
Severity: Critical
Category: Indirect Remote Buffer Overrun
Vendor URL: http://www.mircosoft.com
Author: Mark Litchfield ([email protected])
Date: 26th August 2002
Advisory number: #NISR26082002

Description

Microsoft® ActiveX® controls, formerly known as OLE controls or OCX
controls, are components (or objects) you can insert into a Web page or
other application to reuse packaged functionality someone else programmed.
Whether you use an ActiveX control (formerly called an OLE control) or a
Java object, Microsoft Visual Basic Scripting Edition and Microsoft Internet
Explorer handle it the same way.

Details

An unchecked buffer exists in the ActiveX control used to display specially
formatted text. This could be executed by encouraging an unsuspecting user
to visit a malicious web page including the below code.

<OBJECT
classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"
id=lblActiveLbl
width=250
height=250
align=left
hspace=20
vspace=0
>
<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">
</OBJECT>

By supplying an overly long value for the "Caption" parameter a saved return
address stored on the stack will be overwritten allowing an attacker to gain
control of Internet Explorer's path of execution. Any arbitary code would
execute in the context of the logged on user. By sending the intended targer
a specially crafted e-mail or by enticing them to a malicious website an
attacker will be able to gain remote control of that users desktop.

Fix Information

NGSSoftware alerted Microsoft to these problems on the 29th April 2002.
NGSSoftware highly recommend installing Microsoft Patch found at
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Further Information

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

JSON