Internet Explorer tblinf32.dll ActiveX IObjectsafety vulnerability

2007-08-1700:00:00

SAINT Corporation

download.saintcorporation.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.943 High

EPSS

Percentile

99.2%

JSON

Added: 08/17/2007
CVE: CVE-2007-2216
BID: 25289
OSVDB: 36396

Background

The IObjectsafety interface provides methods to get and set safety options for objects which support untrusted clients.

Problem

The tblinf32.dll ActiveX control implements IObjectsafety incorrectly, allowing execution of code from arbitrary DLLs when a user loads a specially crafted web page.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 07-045.

References

<http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx>

Limitations

Exploit works on Microsoft Visual Studio 6.0 on Windows 2000 and XP and requires a user to load the exploit page into Internet Explorer 6 or 7.

As a prerequisite for this exploit, the exploit DLL must be placed on an SMB share which is accessible by the target. To do so, first start the exploit, then download the file http://address:port/exploit1.dll, where address is the address of the SAINTexploit host and port is the exploit port, and save exploit1.dll on the SMB share.

When running the exploit, the share should be specified as COMPUTER/SHARE, where COMPUTER is the NetBIOS name of the computer and SHARE is the name of the share.