Internet Explorer VML rect fill buffer overflow

2006-09-20T00:00:00
ID SAINT:6A37B01591A310C332C01DD4BCA3324B
Type saint
Reporter SAINT Corporation
Modified 2006-09-20T00:00:00

Description

Added: 09/20/2006
CVE: CVE-2006-4868
BID: 20096
OSVDB: 28946

Background

Vector Markup Language (VML) is an XML-based format for vector graphics.

Problem

A buffer overflow in Internet Explorer when processing VML code allows remote command execution using a long **fill** parameter within a **rect** tag.

Resolution

http://www.microsoft.com/technet/security/advisory/925568.mspx

References

<http://www.us-cert.gov/cas/techalerts/TA06-262A.html>

Limitations

Exploit works on Internet Explorer 6.0 and requires a user to load the exploit page in a vulnerable browser.

There may be a delay before the exploit succeeds due to the large amount of memory required on the target.

Platforms

Windows