Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5258
HistoryOct 17, 2003 - 12:00 a.m.

Microsoft Local Troubleshooter ActiveX control buffer overflow

2003-10-1700:00:00
vulners.com
7
JSON

Security Advisory

Name: Microsoft Local Troubleshooter ActiveX control buffer overflow.

System Affected : Microsoft Windows 2000 (all versions).

Severity : High

Remote exploitable : Yes

Author: Cesar Cerrudo.

Date: 10/16/03

Advisory Number: CC100309

Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.

You may distribute it unmodified and for free. You may NOT modify it and distribute it or
distribute

parts of it without the author's written permission. You may NOT use it for commercial
intentions

(this means include it in vulnerabilities databases, vulnerabilities scanners, any paid
service,

etc.) without the author's written permission. You are free to use Microsoft details

for commercial intentions.

Disclaimer:

The information in this advisory is believed to be true though it may be false.

The opinions expressed in this advisory are my own and not of any company. The usual standard

disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages
caused

by direct or indirect use of the information or functionality provided by this advisory.

Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any
derivatives thereof.

Overview:

Microsoft Local Troubleshooter is an ActiveX control, it's not documented what it does,

but doing some research it's possible find out that the ActiveX control is used in Microsoft
Windows

Troubleshooting help. This control is installed by default in Windows 2000 operating systems.
When one of

its methods is called with a long string a buffer overflow occurrs.

Details:

This ActiveX control has a few methods and properties, one of the methods called "RunQuery2"
has

a buffer overflow when it's called with a long string in first parameter.

To reproduce the overflow just copy-and-paste the following:

------sample.htm-----------

<object id="test" classid="CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF" >

</object>

<script>

test.RunQuery2("longstringhere","","");

</script>

Microsoft Local Troubleshooter ActiveX control is marked as safe for scripting and
initialization,

so the above sample will run without being blocked in default Internet Explorer security
configuration.

This vulnerability can be exploited through XSS, sending to a victim an HTML e-mail,

or social engineering a user to open an HTML page specially constructed. Explotation of this

vulnerability could allow an attacker to execute code of his choice in the victim computer.

Vendor Status:

Microsoft was contacted, we worked together and Microsoft released a fix.

Patch Available:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-042.asp

Thanks to: Jimmers and Brett Moore.

SQL SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL
injection, etc.

Get advisories and vulnerabilities before!!!

Join at:

[email protected]

http://groups.yahoo.com/group/sqlserversecurity/

NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
code "NT1003" when registering to take the TICSA exam at www.2test.com.
Prove to your employer and peers that you have the knowledge and
abilities to be an active stakeholder in today's enterprise security.
Become TICSA certified www.trusecure.com/ticsa. Promotion expires
12/31/03 and cannot be used in combination with other offers.

JSON