Internet Explorer tblinf32.dll ActiveX IObjectsafety vulnerability

2007-08-17T00:00:00
ID SAINT:CAA28947B2BCC183B12ED091F5146DEA
Type saint
Reporter SAINT Corporation
Modified 2007-08-17T00:00:00

Description

Added: 08/17/2007
CVE: CVE-2007-2216
BID: 25289
OSVDB: 36396

Background

The IObjectsafety interface provides methods to get and set safety options for objects which support untrusted clients.

Problem

The tblinf32.dll ActiveX control implements IObjectsafety incorrectly, allowing execution of code from arbitrary DLLs when a user loads a specially crafted web page.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 07-045.

References

<http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx>

Limitations

Exploit works on Microsoft Visual Studio 6.0 on Windows 2000 and XP and requires a user to load the exploit page into Internet Explorer 6 or 7.

As a prerequisite for this exploit, the exploit DLL must be placed on an SMB share which is accessible by the target. To do so, first start the exploit, then download the file http://address:port/exploit1.dll, where address is the address of the SAINTexploit host and port is the exploit port, and save exploit1.dll on the SMB share.

When running the exploit, the share should be specified as COMPUTER/SHARE, where COMPUTER is the NetBIOS name of the computer and SHARE is the name of the share.

Platforms

Windows