[NT] MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability (MS05-052)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/12/05
- Previous message: SecuriTeam: "[UNIX] Microsoft Distributed Transaction Coordinator Memory Modification (MS05-051)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 Oct 2005 09:27:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MDT2DD.DLL COM Object Uninitialized Heap Memory Vulnerability (MS05-052)
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a vulnerability in the way a
Microsoft Design Tools COM object allocates and uses heap memory. An
attacker could design a web page or HTML document that exploits the
vulnerability in order to execute arbitrary code on the system of a user
who views it.
DETAILS
The Microsoft Design Tools PolyLine Control 2 COM object (hosted in
MDT2DD.DLL) allocates memory by calling the function CCUMemMgr::Alloc
exported by MDT2FW.DLL, for the global CCUMemMgr class instance g_cumgr
which is also exported by the same. CCUMemMgr::Alloc allocates heap
memory using HeapAlloc, and will initialize its contents to zeroes if a
flag within the class instance is set; however, in this particular case,
the flag is clear within g_cumgr, so the heap blocks allocated are not
filled with zeroes and therefore retain their prior contents.
This condition causes assumptions within MDT2DD.DLL to be violated in at
least one exploitable case. The function "ATL::CComCreator<class
ATL::CComPolyObject<class CPolyCtrl>>::CreateInstance" calls
g_cumgr.Alloc(0xA4) to allocate memory for a new class instance, but if
its subsequent initialization fails, the CPolyCtrl::~CPolyCtrl destructor
is invoked and attempts to retrieve a pointer to a function table from
offset +0x98 within the heap block. At this point, that field has not
been initialized, so the destructor code can be made to dereference an
attacker-supplied pointer and transfer execution to an arbitrary address.
Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
<http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-052.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2127>
CAN-2005-2127
ADDITIONAL INFORMATION
The information has been provided by <mailto:Advisories@eeye.com> eEye.
The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD20051011d.html>
http://www.eeye.com/html/research/advisories/AD20051011d.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Microsoft Distributed Transaction Coordinator Memory Modification (MS05-051)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
