[Dshield] 0-day exploit: Microsoft InternetExplorer"Msdds.dll"Remote Code Exe cution Exploit

Orlando Richards orlando.richards at ed.ac.uk
Thu Aug 18 11:19:48 GMT 2005


Network Associates McAfee VirusScan 8 detects (and blocks) the html as:

"JS/Exploit-BO.gen Trojan."

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Joel Esler
> Sent: 18 August 2005 03:08
> To: General DShield Discussion List
> Subject: Re: [Dshield] 0-day exploit: Microsoft 
> InternetExplorer"Msdds.dll"Remote Code Exe cution Exploit
> 
> 
> Just FYI...  Snort will detect this exploit in use...  Sid 2589.
> 
> Joel Esler
> 
> On 8/17/05, Brance Amussen <brance at jhu.edu> wrote:
> > 
> > 
> > I don't think so, I searched 3 machines for the file, none 
> of which had VS installed. The file resides in the microsoft 
> common files folder on all of them.
> > I think almost all MS programs use this dll.
> > 
> > Brance :)_S
> > 
> > 
> > 
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org on behalf of David Taylor
> > Sent: Wed 8/17/2005 6:35 PM
> > To: 'General DShield Discussion List'
> > Subject: Re: [Dshield] 0-day exploit: Microsoft Internet 
> Explorer"Msdds.dll"Remote Code Exe     cution Exploit
> > 
> > Microsoft Visual Studio .NET msdds.dll Remote Code 
> Execution Vulnerability
> > http://www.securityfocus.com/bid/14594/info
> > 
> > I guess this is only if you have Visual Studio .NET installed?
> > 
> > 
> > 
> > ==================================================
> > David Taylor //Sr. Information Security Specialist
> > University of Pennsylvania Information Security
> > Philadelphia PA USA
> > LTR at ISC.UPENN.EDU               (215) 898-1236
> > http://www.upenn.edu/computing/security/
> > ==================================================
> > 
> > SANS - The Twenty Most Critical Internet Security Vulnerabilities
> > http://www.sans.org/top20/
> > 
> > SANS - Internet Storm Center
> > http://isc.sans.org
> > 
> > 
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org]
> > On Behalf Of Fergie (Paul Ferguson)
> > Sent: Wednesday, August 17, 2005 4:33 PM
> > To: list at lists.dshield.org
> > Subject: [Dshield] 0-day exploit: Microsoft Internet Explorer
> > "Msdds.dll"Remote Code Exe cution Exploit
> > 
> > 
> > Uh oh.
> > 
> > Via FrSIRT.
> > 
> > Advisory : FrSIRT/ADV-2005-1450
> > Rated as : Critical
> > http://www.frsirt.com/english/advisories/2005/1450
> > 
> >  * Technical Description *
> > 
> > A critical vulnerability was identified in Microsoft 
> Internet Explorer,
> > which could be exploited by remote attackers to execute 
> arbitrary commands.
> > This issue is due to a memory corruption error when 
> instantiating the
> > "Msdds.dll" object as an ActiveX control via its class 
> identifier (CLSID),
> > which could be exploited by an attacker to take complete 
> control of an
> > affected system via a specially crafted Web page.
> > 
> > This vulnerability has been confirmed with Microsoft 
> Internet Explorer 6 SP2
> > on Windows XP SP2 (fully patched).
> > 
> >  * Exploits *
> > 
> > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > 
> >  * Affected Products *
> > 
> > Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
> > Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
> > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
> > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1
> > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 for
> > Itanium-based Systems
> > Microsoft Internet Explorer 6 for Microsoft Windows Server 
> 2003 with SP1 for
> > Itanium-based Systems
> > Microsoft Internet Explorer 6 for Microsoft Windows Server 
> 2003 x64 Edition
> > Microsoft Internet Explorer 6 for Microsoft Windows XP 
> Professional x64
> > Edition
> > Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
> > Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
> > 
> >  * Solution *
> > 
> > The FrSIRT is not aware of any official supplied patch for 
> this issue.
> > 
> >  * References *
> > 
> > http://www.frsirt.com/english/advisories/2005/1450
> > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > 
> > Exploit:
> > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > 
> > - ferg
> > 
> > 
> > 
> > 
> > 
> > --
> > "Fergie", a.k.a. Paul Ferguson
> >  Engineering Architecture for the Internet
> >  fergdawg at netzero.net or fergdawg at sbcglobal.net
> >  ferg's tech blog: http://fergdawg.blogspot.com/
> > 
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > 
> > 
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> > 
> > 
> > 
> >
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list