lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed Oct 12 22:55:34 2005
From: Advisories at (
Subject: [EEYEB20050915] - MDT2DD.DLL COM Object
	Uninitialized Heap Memory Vulnerability

MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability

Release Date:
October 11, 2005

Date Reported:
September 15, 2005

High (Code Execution)


Systems Affected:
Internet Explorer 5 SP4
Internet Explorer 5.5 SP2 - Windows ME
Internet Explorer 6 SP1 - All Windows Operating Systems
Internet Explorer 6 - Windows Server 2003 / Windows Server 2003 SP1
Internet Explorer 6 - Windows XP SP2

eEye ID#:  EEYEB20050915
OSVDB ID#: 2692
CVE #:  CAN-2005-2127

eEye Digital Security has discovered a vulnerability in the way a
Microsoft Design Tools COM object allocates and uses heap memory.  An
attacker could design a web page or HTML document that exploits the
vulnerability in order to execute arbitrary code on the system of a user
who views it.

Technical Details:
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in
MDT2DD.DLL) allocates memory by calling the function CCUMemMgr::Alloc
exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr
which is also exported by the same.  CCUMemMgr::Alloc allocates heap
memory using HeapAlloc, and will initialize its contents to zeroes if a
flag within the class instance is set; however, in this particular case,
the flag is clear within g_cumgr, so the heap blocks allocated are not
filled with zeroes and therefore retain their prior contents.

This condition causes assumptions within MDT2DD.DLL to be violated in at
least one exploitable case. The function "ATL::CComCreator<class
ATL::CComPolyObject<class CPolyCtrl>>::CreateInstance" calls
g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if
its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl
destructor is invoked and attempts to retrieve a pointer to a function
table from offset +0x98 within the heap block.  At this point, that
field has not been initialized, so the destructor code can be made to
dereference an attacker-supplied pointer and transfer execution to an
arbitrary address.

Retina, Network Security Scanner, has been updated to be able to
identify this vulnerability.
For more information on Retina visit: 

Blink, Endpoint Vulnerability Prevention, already provides protection
from attacks based on this vulnerability.
For more information on Blink visit:

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:

Fang Xing

Thanks Derek and eEye guys help me analyze and write the advisory,
greetz xfocus and venus-tech lab's guys.

Copyright (c) 1998-2005 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email for permission.

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

Powered by blists - more mailing lists