Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Browsers :: expl5661.htm

Internet Explorer legacy text control buffer overflow



26th Aug 2002 [SBWID-5661]
COMMAND

	
		Microsoft Internet Explorer legacy text control buffer overflow
	
	

SYSTEMS AFFECTED

	
		All versions IE
	
	

PROBLEM

	
		In  Mark  Litchfield  [mark@ngssoftware.com]  of   NGSSoftware   Insight
		Security Research [http://www.ngssoftware.com] advisory  [#NISR26082002]
		:
		

		Microsoft® ActiveX® controls, formerly known  as  OLE  controls  or  OCX
		controls, are components (or objects) you can insert into a Web page  or
		other  application  to  reuse  packaged   functionality   someone   else
		programmed. Whether you use an ActiveX control (formerly called  an  OLE
		control) or a Java object, Microsoft Visual Basic Scripting Edition  and
		Microsoft Internet Explorer handle it the same way.
		

		 Details

		 *******

		

		An unchecked buffer exists  in  the  ActiveX  control  used  to  display
		specially formatted text. This  could  be  executed  by  encouraging  an
		unsuspecting user to visit a malicious  web  page  including  the  below
		code.
		

		<OBJECT

		   classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"

		   id=lblActiveLbl

		   width=250

		   height=250

		   align=left

		   hspace=20

		   vspace=0

		>

		<PARAM NAME="Angle" VALUE="90">

		<PARAM NAME="Alignment" VALUE="4">

		<PARAM NAME="BackStyle" VALUE="0">

		<PARAM NAME="Caption" VALUE="long char string">

		<PARAM NAME="FontName" VALUE="NGS Software Font">

		<PARAM NAME="FontSize" VALUE="50">

		<PARAM NAME="FontBold" VALUE="1">

		<PARAM NAME="FrColor" VALUE="0">

		</OBJECT>

		

		By supplying an overly long value for the "Caption"  parameter  a  saved
		return address stored on the  stack  will  be  overwritten  allowing  an
		attacker to gain control of Internet Explorer's path of  execution.  Any
		arbitary code would execute in the context of the  logged  on  user.  By
		sending the intended targer a specially crafted e-mail  or  by  enticing
		them to a malicious website an attacker will  be  able  to  gain  remote
		control of that users desktop.
	
	

SOLUTION

	
		NGSSoftware alerted Microsoft to these problems on the 29th April  2002.
		NGSSoftware highly recommend installing Microsoft Patch found at
		

		http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH