Advisories
MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability
Release Date:
October 11, 2005
Date Reported:
September 15, 2005
Patch Development Time (In Days):
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Internet Explorer 5 SP4
Internet Explorer 5.5 SP2 - Windows ME
Internet Explorer 6 SP1 - All Windows Operating Systems
Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1 Internet Explorer 6 - Windows XP SP2
Overview:
eEye Digital Security has discovered a vulnerability in the way a Microsoft Design Tools COM object allocates and uses heap memory. An attacker could design a web page or HTML document that exploits the vulnerability in order to execute arbitrary code on the system of a user who views it.
Technical Details:
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in MDT2DD.DLL) allocates memory by calling
the function CCUMemMgr::Alloc exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr which
is also exported by the same. CCUMemMgr::Alloc allocates heap memory using HeapAlloc, and will initialize
its contents to zeroes if a flag within the class instance is set; however, in this particular case, the flag
is clear within g_cumgr, so the heap blocks allocated are not filled with zeroes and therefore retain their
prior contents.
This condition causes assumptions within MDT2DD.DLL to be violated in at least one exploitable case. The Function "ATL::CComCreator>::CreateInstance" calls g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl destructor is invoked and attempts to retrieve a pointer to a function table from offset +0x98 within the heap block. At this point, that field has not been initialized, so the destructor code can be made to dereference an attacker-supplied pointer and transfer execution to an arbitrary address.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and eEye guys help me analyze and write the advisory, greetz xfocus and venus-tech lab's guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
October 11, 2005
Date Reported:
September 15, 2005
Patch Development Time (In Days):
 |
|
|
|
| 26 |
Severity:
High (Remote Code Execution)
Vendor:
Mircosoft
Systems Affected:
Internet Explorer 5 SP4
Internet Explorer 5.5 SP2 - Windows ME
Internet Explorer 6 SP1 - All Windows Operating Systems
Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1 Internet Explorer 6 - Windows XP SP2
Overview:
eEye Digital Security has discovered a vulnerability in the way a Microsoft Design Tools COM object allocates and uses heap memory. An attacker could design a web page or HTML document that exploits the vulnerability in order to execute arbitrary code on the system of a user who views it.
Technical Details:
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in MDT2DD.DLL) allocates memory by calling
the function CCUMemMgr::Alloc exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr which
is also exported by the same. CCUMemMgr::Alloc allocates heap memory using HeapAlloc, and will initialize
its contents to zeroes if a flag within the class instance is set; however, in this particular case, the flag
is clear within g_cumgr, so the heap blocks allocated are not filled with zeroes and therefore retain their
prior contents.
This condition causes assumptions within MDT2DD.DLL to be violated in at least one exploitable case. The Function "ATL::CComCreator
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx
Credit:
Discovery: Fang Xing
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Retina Network Security Scanner - Japanese Edition- http://www.sse.co.jp/eeye/index.html
Greetings:
Thanks Derek and eEye guys help me analyze and write the advisory, greetz xfocus and venus-tech lab's guys.
Copyright (c) 1998-2008 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
