Bugtraq mailing list archives

RE: IE ActiveX 0day?

From: "Hayes, Bill" <Bill.Hayes () owh com>
Date: Fri, 15 Sep 2006 10:40:53 -0500
It looks like the flaw is a buffer overflow and not a memory corruption
error.

Initially, FrSIRT has issued an advisory, "Microsoft Internet Explorer
"daxctle.ocx" KeyFrame Memory Corruption Vulnerability", detailing a new
zero-day Internet Explorer exploit. The exploit is reportedly successful
using IE 5.01 SP4, IE 6 SP1, and IE 6 for Windows XP and Windows Server
2003. All Windows platforms supporting these IE versions are affected.
FrSIRT rates this as a critical security risk. Secunia rates this as an
extremely critical security risk. 

FrSIRT claims that by sending a specially-crafted argument to the
DirectAnimation.PathControl" (daxctle.ocx) ActiveX object, a local or
remote attacker can cause a memory corruption error that leads either to
a Denial of Service (DoS) condition, execution of arbitrary code. As a
workaround, FrSIRT is recommending disabling Active Scripting in the
Internet and Local intranet security zones.  This will obvioulsy break a
number of pages.

Symantec SecurityResponse blog states that Symantec researchers have
determined that the flaw in the  DirectAnimation Path ActiveX Control is
in fact a buffer overflow instead of a memory corruption error. Symantec
researchers now believe that the buffer overflow occurs "when IE tries
to instantiate a certain DirectionAnimation COM object as an ActiveX
control."  The blog note says that remote execution of arbitrary code is
possible.

According to Secunia, a partially working exploit is in the wild for
Chinese Windows versions. Additionally, Secunia claims to have created a
fully working exploit for Windows XP SP2.

Both Microsoft and US-CERT have released advisories about the new IE
zero-day exploit. In Microsoft advisory 925444, "Vulnerability in the
Microsoft DirectAnimation Path ActiveX Control Could Allow Remote
Control Execution", MS acknowledges that the problem exists in the
Microsoft DirectAnimation Path ActiveX control, which is included in
Daxctle.ocx. 

In US-CERT advsory "Public Exploit Code for Microsoft DirectAnimation
Path ActiveX Control Vulnerability", US-CERT recommends as a workaround
that ActiveX be disabled in the Restricted zone and the Internet zone.
More information is available in the US-CERT Vulnerability Note
VU#377369, "Microsoft DirectAnimation Path ActiveX control fails to
validate input".

According to the MS advisory, "The Restricted sites zone helps reduce
attacks that could try to exploit this vulnerability by preventing
Active Scripting from being used when reading HTML e-mail messages.
However, if a user clicks a link in an e-mail message, they could still
be vulnerable to this issue through the Web-based attack scenario.

"By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 2000
opens HTML e-mail messages in the Restricted sites zone if the Outlook
E-mail Security Update has been installed. Outlook Express 5.5 Service
Pack 2 opens HTML e-mail messages in the Restricted sites zone if
Microsoft Security Bulletin MS04-018 has been installed."

This does a good job of explaining why MS says "Script ActiveX controls
marked safe for scripting" should be disabled in the Restricted zone.

For a more complete discussion of workarounds see the "Suggested Actions
- Workaround" section of MS Advisory 925444.

Symantec is releasing IPS signatures, but has not yet released any AV
signatures for this exploit. However, I believe they may have a new
generic "bloodhound" exploit signature later today. Nothing yet from
McAfee, Sophos or F-Secure. I'm still checking other AV vendors

ISS has released XPU 24.33 for Network Sensor 7.0 to address this issue.

References:

http://www.us-cert.gov/current/index.html#IE0day
http://www.kb.cert.org/vuls/id/377369
http://www.microsoft.com/technet/security/advisory/925444.mspx
http://www.symantec.com/enterprise/security_response/weblog/2006/09/new_
internet_explorer_0day_vul.html
http://www.securityfocus.com/bid/19738
http://xforce.iss.net/xforce/alerts/id/236
http://www.xsec.org/index.php?module=releases&act=view&type=2&id=20
http://isc.sans.org/diary.php?storyid=1701&rss
http://www.frsirt.com/english/advisories/2006/3593
http://secunia.com/advisories/21910/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4777

-----Original Message-----
From: Tyop Tyip [mailto:tyoptyop () gmail com] 
Sent: Friday, September 15, 2006 3:00 AM
To: bugtraq () securityfocus com
Subject: Fwd: IE ActiveX 0day?

Does someone have more informations about a 0day on ActiveX?
Here's my links:

http://www.milw0rm.com/exploits/2358
http://blogs.securiteam.com/index.php/archives/600
http://www.xsec.org/

--
Tyop?
Current thread:

Fwd: IE ActiveX 0day? Tyop Tyip (Sep 15)
- Re: Fwd: IE ActiveX 0day? H D Moore (Sep 15)
- <Possible follow-ups>
- RE: IE ActiveX 0day? Hayes, Bill (Sep 15)
  - Re: IE ActiveX 0day? Alexander Sotirov (Sep 18)
- Re: Fwd: IE ActiveX 0day? Juha-Matti Laurio (Sep 15)