From labs@USSRBACK.COM Mon Nov 6 00:33:09 2000 From: USSR Labs To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 6 Nov 2000 02:31:55 -0800 Subject: [BUGTRAQ] System Monitor ActiveX Buffer Overflow Vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 System Monitor ActiveX Buffer Overflow Vulnerability USSR Advisory Code: USSR-2000057 Public Disclosure Date: November 3, 2000 Vendors Affected: Microsoft Corporation http://www.microsoft.com Systems Affected: Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Problem: The USSR Team has found a problem in the Microsoft System Monitor ActiveX control (class id: C4D2D8E0-D1DD-11CE-940F-008029004347, sysmon.ocx) in the Value field name "LogFileName",which could be used by malicious user to potentially run code on another user^Òs machine. The vulnerability can only be exploited if ActiveX controls are enabled in Internet Explorer, Outlook or Outlook Express. SPECIAL NOTE: USSR Labs takes no responsibility for the following example. It is provided for educational purposes only. Example evil.html: If a user accesses a page with the above mentioned code imbedded, IE, Outlook and Outlook Express will crash. The following error message will appear in the event log. "Application popup: iexplore.exe - Application Error : The instruction at "0x64a8e132" referenced memory at "0x006100dd". The memory could not be "written". Online examples: http://www.ussrback.com/microsoft/msmactivex.html http://www.ussrback.com/microsoft/msmactivex2.html Vendor Status: Informed: Sunday, September 17, 2000 4:23 PM Contacted: Sunday, September 17, 2000 5:55 PM Patch Available: November 3, 2000 Status: More Information: http://www.microsoft.com/technet/security/bulletin/ms00-085.asp Frequently Asked Questions: Microsoft Security Bulletin MS00-085 http://www.microsoft.com/technet/security/bulletin/fq00-085.asp Microsoft Knowledge Base article Q278511 discusses this issue and will be available soon. Fix: Windows 2000: (can be applied to both Gold and Service Pack 1) http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25532 Related Links: Underground Security Systems Research: http://www.ussrback.com CrunchSp Product: http://www.crunchsp.com About: USSR is an emerging security company based in South America. We are devoted to network security research, vulnerability research, and software protection systems. One of the main objectives of USSR is to develop and implement cutting edge security and protection systems that cater to an evolving market. We believe that the way we implement security solutions can make a difference. CrunchSP is an example, providing a solution to software piracy. Our solutions such as CrunchSP are devoted to protecting your enterprise. On a daily basis, we research, develop, discover and report vulnerability information. We make this information freely available via public forums such as BugTraq, and our advisory board located at http://www.ussrback.com. The USSR is a highly skilled, experienced team. Many USSR programmers, as well as programmers of partners and affiliates, are seasoned professionals, with 12 or more years of industry experience. A knowledge base of numerous computer applications as well as many high and low level programming languages makes USSRback a diverse team of experts prepared to serve the needs of any customer. USSR has assembled some of the world's greatest software developers and security consultants to provide our customers with a wide range of enterprise level services. These services include: * Network Penetration Testing * Security Application development * Application Security Testing and Certification * Security Implementations * Cryptography * Emergency Response Team * Firewalling * Virtual Private Networking * Intrusion Detection * Support and maintenance For more information, please contact us via email at labs@ussrback.com. Copyright (c) 1999-2000 Underground Security Systems Research. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without explicit consent of USSR. If you wish to reprint whole or any part of this alert in any other medium excluding electronic medium, please e-mail labs@ussrback.com for permission. Disclaimer: The information within this paper may change without notice. We may not be held responsible for the use and/or potential effects of these programs or advisories. Use them and read them at your own risk or not at all. You solely are responsible for this judgment. Feedback: If you have any questions, comments, concerns, updates, or suggestions please feel free to send them to: Underground Security Systems Research mail:labs@ussrback.com http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBOgaIm9ybEYfHhkiVEQL9AACfZbM84UMWwahAJaao9LDtxKFqxPgAoIU/ YvT1lzjOJq9abeVZcdiJlrnN =Gs3p -----END PGP SIGNATURE-----