Microsoft Local Troubleshooter ActiveX control buffer overflow

[Cesar <cesarc56 () yahoo com>]

Security Advisory

Name:  Microsoft Local Troubleshooter ActiveX control
buffer overflow.
System Affected :  Microsoft Windows 2000 (all
versions). 
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    10/16/03
Advisory Number:    CC100309


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute 
parts of it without the author's written permission.
You may NOT use it for commercial intentions 
(this means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, 
etc.) without the author's written permission. You are
free to use Microsoft details 
for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard 
disclaimer applies, especially the fact that Cesar
Cerrudo is not liable for any damages caused 
by direct or indirect use of the information or
functionality provided by this advisory. 
Cesar Cerrudo bears no responsibility for content or
misuse of this advisory or any derivatives thereof.



Overview:

Microsoft Local Troubleshooter is an ActiveX control,
it's not documented what it does, 
but doing some research it's possible find out that
the ActiveX control is used in Microsoft Windows 
Troubleshooting help. This control is installed by
default in Windows 2000 operating systems. When one of
its methods is called with a long string a buffer
overflow occurrs.


Details:

This ActiveX control has a few methods and properties,
one of the methods called "RunQuery2" has 
a buffer overflow when it's called with a long string
in first parameter.


To reproduce the overflow just copy-and-paste the
following:

------sample.htm-----------
<object id="test"
classid="CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF" >
</object>
<script>
test.RunQuery2("longstringhere","","");
</script>
---------------------------


Microsoft Local Troubleshooter  ActiveX control is
marked as safe for scripting and initialization, 
so the above sample will run without being blocked in
default Internet Explorer security configuration.

This vulnerability can be exploited through XSS,
sending to a victim an HTML e-mail, 
or social engineering a user to open an HTML page
specially constructed. Explotation of this 
vulnerability could allow an attacker to execute code
of his choice in the victim computer.



Vendor Status:

Microsoft was contacted, we worked together and
Microsoft released a fix.


Patch Available: 

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-042.asp



Thanks to: Jimmers and Brett Moore.


SQL SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Get advisories and vulnerabilities before!!!
Join at:
sqlserversecurity-subscribe () yahoogroups com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html