[Dshield] 0-day exploit: Microsoft Internet Explorer"Msdds.dll"Remote Code Exe cution Exploit

Joel Esler eslerj at gmail.com
Thu Aug 18 02:07:48 GMT 2005


Just FYI...  Snort will detect this exploit in use...  Sid 2589.

Joel Esler

On 8/17/05, Brance Amussen <brance at jhu.edu> wrote:
> 
> 
> I don't think so, I searched 3 machines for the file, none of which had VS installed. The file resides in the microsoft common files folder on all of them.
> I think almost all MS programs use this dll.
> 
> Brance :)_S
> 
> 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org on behalf of David Taylor
> Sent: Wed 8/17/2005 6:35 PM
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] 0-day exploit: Microsoft Internet Explorer"Msdds.dll"Remote Code Exe     cution Exploit
> 
> Microsoft Visual Studio .NET msdds.dll Remote Code Execution Vulnerability
> http://www.securityfocus.com/bid/14594/info
> 
> I guess this is only if you have Visual Studio .NET installed?
> 
> 
> 
> ==================================================
> David Taylor //Sr. Information Security Specialist
> University of Pennsylvania Information Security
> Philadelphia PA USA
> LTR at ISC.UPENN.EDU               (215) 898-1236
> http://www.upenn.edu/computing/security/
> ==================================================
> 
> SANS - The Twenty Most Critical Internet Security Vulnerabilities
> http://www.sans.org/top20/
> 
> SANS - Internet Storm Center
> http://isc.sans.org
> 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
> On Behalf Of Fergie (Paul Ferguson)
> Sent: Wednesday, August 17, 2005 4:33 PM
> To: list at lists.dshield.org
> Subject: [Dshield] 0-day exploit: Microsoft Internet Explorer
> "Msdds.dll"Remote Code Exe cution Exploit
> 
> 
> Uh oh.
> 
> Via FrSIRT.
> 
> Advisory : FrSIRT/ADV-2005-1450
> Rated as : Critical
> http://www.frsirt.com/english/advisories/2005/1450
> 
>  * Technical Description *
> 
> A critical vulnerability was identified in Microsoft Internet Explorer,
> which could be exploited by remote attackers to execute arbitrary commands.
> This issue is due to a memory corruption error when instantiating the
> "Msdds.dll" object as an ActiveX control via its class identifier (CLSID),
> which could be exploited by an attacker to take complete control of an
> affected system via a specially crafted Web page.
> 
> This vulnerability has been confirmed with Microsoft Internet Explorer 6 SP2
> on Windows XP SP2 (fully patched).
> 
>  * Exploits *
> 
> http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> 
>  * Affected Products *
> 
> Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
> Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
> Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
> Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1
> Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 for
> Itanium-based Systems
> Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 with SP1 for
> Itanium-based Systems
> Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition
> Microsoft Internet Explorer 6 for Microsoft Windows XP Professional x64
> Edition
> Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
> Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
> 
>  * Solution *
> 
> The FrSIRT is not aware of any official supplied patch for this issue.
> 
>  * References *
> 
> http://www.frsirt.com/english/advisories/2005/1450
> http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> 
> Exploit:
> http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> 
> - ferg
> 
> 
> 
> 
> 
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg at netzero.net or fergdawg at sbcglobal.net
>  ferg's tech blog: http://fergdawg.blogspot.com/
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
>



More information about the list mailing list