Alerts
Alerts
Zero-Day Tracker
Common Name:
ADODB.Connection ActiveX
Date Disclosed:
10/27/2006
Date Patched:
2/13/2007
Vendor:
Microsoft
Application:
Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6
Description:
The "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects allow malicious script to free heap memory in a way that circumvents the script interpreter's memory manager. The second argument to Execute, a variant, is passed to VariantClear, which will free the associated string memory using SysFreeString if the variant represents a BSTR. The script interpreter has no way of knowing that the string memory was freed, and may try to double-free or re-use the memory after the Execute call returns.
The original proof-of-concept passes references to a single large string as both the second and third arguments of Execute. The string memory is freed when the second argument is passed to VariantClear, causing the memory to be decommitted due to its size, but then the code responsible for processing the third argument attempts to access the now-freed memory and produces the observed crash. By using a smaller string, the decommit will not occur, and double-frees and free memory reuse are therefore possible.
(With regard to reusing freed memory, one interesting side-effect of freeing BSTR memory is that the length DWORD is overwritten with a free list heap pointer, which is always a large integer value.)
Exploitation is complicated by memory caching and garbage collection behaviors, but arbitrary memory overwrites due to heap corruption have been demonstrated.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
The best form of mitigation is available by kill-bitting the CLSIDs for the ADODB.Connection ActiveX Control (00000514-0000-0010-8000-00AA006D2EA4) following the directions of KB240797. This will disable both ActiveX objects, regardless of version.
Protection:
Patch:
Microsoft Security Advisory (927779)
Links:
CVE-2006-5559
MSRC Blog Post
First Public PoC Code Disclosure (Denial of Service)
Status:
11/29/2006: Exploitability Confirmed
2/13/2007: MS07-009 Patch Released
Common Name:
ADODB.Connection ActiveX
Date Disclosed:
10/27/2006
Date Patched:
2/13/2007
Vendor:
Microsoft
Application:
Internet Explorer 5.01
Internet Explorer 5.5
Internet Explorer 6
Description:
The "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects allow malicious script to free heap memory in a way that circumvents the script interpreter's memory manager. The second argument to Execute, a variant, is passed to VariantClear, which will free the associated string memory using SysFreeString if the variant represents a BSTR. The script interpreter has no way of knowing that the string memory was freed, and may try to double-free or re-use the memory after the Execute call returns.
The original proof-of-concept passes references to a single large string as both the second and third arguments of Execute. The string memory is freed when the second argument is passed to VariantClear, causing the memory to be decommitted due to its size, but then the code responsible for processing the third argument attempts to access the now-freed memory and produces the observed crash. By using a smaller string, the decommit will not occur, and double-frees and free memory reuse are therefore possible.
(With regard to reusing freed memory, one interesting side-effect of freeing BSTR memory is that the length DWORD is overwritten with a free list heap pointer, which is always a large integer value.)
Exploitation is complicated by memory caching and garbage collection behaviors, but arbitrary memory overwrites due to heap corruption have been demonstrated.
Severity:
High
Code Execution:
Yes
Impact:
Arbitrary code execution under the context of the logged in user
An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Mitigation:
The best form of mitigation is available by kill-bitting the CLSIDs for the ADODB.Connection ActiveX Control (00000514-0000-0010-8000-00AA006D2EA4) following the directions of KB240797. This will disable both ActiveX objects, regardless of version.
Protection:
- eEye's Blink® Personal Edition protects from this vulnerability.
- eEye's Blink® Professional Edition protects from this vulnerability.
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Patch:
Microsoft Security Advisory (927779)
Links:
CVE-2006-5559
MSRC Blog Post
First Public PoC Code Disclosure (Denial of Service)
Status:
11/29/2006: Exploitability Confirmed
2/13/2007: MS07-009 Patch Released
