lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 Sep 2006 10:40:53 -0500
From: "Hayes, Bill" <Bill.Hayes@....com>
To: "Tyop Tyip" <tyoptyop@...il.com>, <bugtraq@...urityfocus.com>
Subject: RE: IE ActiveX 0day?

It looks like the flaw is a buffer overflow and not a memory corruption
error.

Initially, FrSIRT has issued an advisory, "Microsoft Internet Explorer
"daxctle.ocx" KeyFrame Memory Corruption Vulnerability", detailing a new
zero-day Internet Explorer exploit. The exploit is reportedly successful
using IE 5.01 SP4, IE 6 SP1, and IE 6 for Windows XP and Windows Server
2003. All Windows platforms supporting these IE versions are affected.
FrSIRT rates this as a critical security risk. Secunia rates this as an
extremely critical security risk. 

FrSIRT claims that by sending a specially-crafted argument to the
DirectAnimation.PathControl" (daxctle.ocx) ActiveX object, a local or
remote attacker can cause a memory corruption error that leads either to
a Denial of Service (DoS) condition, execution of arbitrary code. As a
workaround, FrSIRT is recommending disabling Active Scripting in the
Internet and Local intranet security zones.  This will obvioulsy break a
number of pages.

Symantec SecurityResponse blog states that Symantec researchers have
determined that the flaw in the  DirectAnimation Path ActiveX Control is
in fact a buffer overflow instead of a memory corruption error. Symantec
researchers now believe that the buffer overflow occurs "when IE tries
to instantiate a certain DirectionAnimation COM object as an ActiveX
control."  The blog note says that remote execution of arbitrary code is
possible.

According to Secunia, a partially working exploit is in the wild for
Chinese Windows versions. Additionally, Secunia claims to have created a
fully working exploit for Windows XP SP2.

Both Microsoft and US-CERT have released advisories about the new IE
zero-day exploit. In Microsoft advisory 925444, "Vulnerability in the
Microsoft DirectAnimation Path ActiveX Control Could Allow Remote
Control Execution", MS acknowledges that the problem exists in the
Microsoft DirectAnimation Path ActiveX control, which is included in
Daxctle.ocx. 

In US-CERT advsory "Public Exploit Code for Microsoft DirectAnimation
Path ActiveX Control Vulnerability", US-CERT recommends as a workaround
that ActiveX be disabled in the Restricted zone and the Internet zone.
More information is available in the US-CERT Vulnerability Note
VU#377369, "Microsoft DirectAnimation Path ActiveX control fails to
validate input".

According to the MS advisory, "The Restricted sites zone helps reduce
attacks that could try to exploit this vulnerability by preventing
Active Scripting from being used when reading HTML e-mail messages.
However, if a user clicks a link in an e-mail message, they could still
be vulnerable to this issue through the Web-based attack scenario.

"By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 2000
opens HTML e-mail messages in the Restricted sites zone if the Outlook
E-mail Security Update has been installed. Outlook Express 5.5 Service
Pack 2 opens HTML e-mail messages in the Restricted sites zone if
Microsoft Security Bulletin MS04-018 has been installed."

This does a good job of explaining why MS says "Script ActiveX controls
marked safe for scripting" should be disabled in the Restricted zone.

For a more complete discussion of workarounds see the "Suggested Actions
- Workaround" section of MS Advisory 925444.

Symantec is releasing IPS signatures, but has not yet released any AV
signatures for this exploit. However, I believe they may have a new
generic "bloodhound" exploit signature later today. Nothing yet from
McAfee, Sophos or F-Secure. I'm still checking other AV vendors

ISS has released XPU 24.33 for Network Sensor 7.0 to address this issue.

References:

http://www.us-cert.gov/current/index.html#IE0day
http://www.kb.cert.org/vuls/id/377369
http://www.microsoft.com/technet/security/advisory/925444.mspx
http://www.symantec.com/enterprise/security_response/weblog/2006/09/new_
internet_explorer_0day_vul.html
http://www.securityfocus.com/bid/19738
http://xforce.iss.net/xforce/alerts/id/236
http://www.xsec.org/index.php?module=releases&act=view&type=2&id=20
http://isc.sans.org/diary.php?storyid=1701&rss
http://www.frsirt.com/english/advisories/2006/3593
http://secunia.com/advisories/21910/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4777

-----Original Message-----
From: Tyop Tyip [mailto:tyoptyop@...il.com] 
Sent: Friday, September 15, 2006 3:00 AM
To: bugtraq@...urityfocus.com
Subject: Fwd: IE ActiveX 0day?

Does someone have more informations about a 0day on ActiveX?
Here's my links:

http://www.milw0rm.com/exploits/2358
http://blogs.securiteam.com/index.php/archives/600
http://www.xsec.org/

--
Tyop?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ