[NT] Microsoft Internet Explorer Legacy Text Control Buffer Overflow

From: support@securiteam.com
Date: 08/27/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 27 Aug 2002 08:55:45 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft Internet Explorer Legacy Text Control Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Microsoft® ActiveX® controls, formerly known as OLE controls or OCX
controls are components (or objects) you can insert into a Web page or
other application to reuse packaged functionality someone else programmed.
Whether you use an ActiveX control (formerly called an OLE control) or a
Java object, Microsoft Visual Basic Scripting Edition and Microsoft
Internet Explorer handle it the same way.

DETAILS

An unchecked buffer exists in the ActiveX control used to display
specially formatted text. This could be executed by encouraging an
unsuspecting user to visit a malicious web page including the below code.

<0BJECT
   classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"
   id=lblActiveLbl
   width=250
   height=250
   align=left
   hspace=20
   vspace=0
>
<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">
</OBJECT>

(Note the letter O has been replaced with an 0)

By supplying an overly long value for the "Caption" parameter, a saved
return address stored on the stack will be overwritten allowing an
attacker to gain control of Internet Explorer's path of execution. Any
arbitrary code would execute in the context of the logged on user. By
sending the intended target a specially crafted e-mail or by enticing them
to a malicious website an attacker will be able to gain remote control of
that users desktop.

Fix Information:
NGSSoftware alerted Microsoft to these problems on 29 April 2002.
NGSSoftware highly recommend installing Microsoft Patch found at
<http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp> http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp.

ADDITIONAL INFORMATION

The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.