[Dshield] 0-day exploit: Microsoft InternetExplorer"Msdds.dll"Remote Code Exe cution Exploit

Joel Esler eslerj at gmail.com
Thu Aug 18 11:36:30 GMT 2005


I have heard conflicting reports to say that this file is only
installed with either .NET or Office installed on the box.  Can anyone
confirm?

Joel

On 8/18/05, Orlando Richards <orlando.richards at ed.ac.uk> wrote:
> Network Associates McAfee VirusScan 8 detects (and blocks) the html as:
> 
> "JS/Exploit-BO.gen Trojan."
> 
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org] On Behalf Of Joel Esler
> > Sent: 18 August 2005 03:08
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] 0-day exploit: Microsoft
> > InternetExplorer"Msdds.dll"Remote Code Exe cution Exploit
> >
> >
> > Just FYI...  Snort will detect this exploit in use...  Sid 2589.
> >
> > Joel Esler
> >
> > On 8/17/05, Brance Amussen <brance at jhu.edu> wrote:
> > >
> > >
> > > I don't think so, I searched 3 machines for the file, none
> > of which had VS installed. The file resides in the microsoft
> > common files folder on all of them.
> > > I think almost all MS programs use this dll.
> > >
> > > Brance :)_S
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: list-bounces at lists.dshield.org on behalf of David Taylor
> > > Sent: Wed 8/17/2005 6:35 PM
> > > To: 'General DShield Discussion List'
> > > Subject: Re: [Dshield] 0-day exploit: Microsoft Internet
> > Explorer"Msdds.dll"Remote Code Exe     cution Exploit
> > >
> > > Microsoft Visual Studio .NET msdds.dll Remote Code
> > Execution Vulnerability
> > > http://www.securityfocus.com/bid/14594/info
> > >
> > > I guess this is only if you have Visual Studio .NET installed?
> > >
> > >
> > >
> > > ==================================================
> > > David Taylor //Sr. Information Security Specialist
> > > University of Pennsylvania Information Security
> > > Philadelphia PA USA
> > > LTR at ISC.UPENN.EDU               (215) 898-1236
> > > http://www.upenn.edu/computing/security/
> > > ==================================================
> > >
> > > SANS - The Twenty Most Critical Internet Security Vulnerabilities
> > > http://www.sans.org/top20/
> > >
> > > SANS - Internet Storm Center
> > > http://isc.sans.org
> > >
> > >
> > > -----Original Message-----
> > > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org]
> > > On Behalf Of Fergie (Paul Ferguson)
> > > Sent: Wednesday, August 17, 2005 4:33 PM
> > > To: list at lists.dshield.org
> > > Subject: [Dshield] 0-day exploit: Microsoft Internet Explorer
> > > "Msdds.dll"Remote Code Exe cution Exploit
> > >
> > >
> > > Uh oh.
> > >
> > > Via FrSIRT.
> > >
> > > Advisory : FrSIRT/ADV-2005-1450
> > > Rated as : Critical
> > > http://www.frsirt.com/english/advisories/2005/1450
> > >
> > >  * Technical Description *
> > >
> > > A critical vulnerability was identified in Microsoft
> > Internet Explorer,
> > > which could be exploited by remote attackers to execute
> > arbitrary commands.
> > > This issue is due to a memory corruption error when
> > instantiating the
> > > "Msdds.dll" object as an ActiveX control via its class
> > identifier (CLSID),
> > > which could be exploited by an attacker to take complete
> > control of an
> > > affected system via a specially crafted Web page.
> > >
> > > This vulnerability has been confirmed with Microsoft
> > Internet Explorer 6 SP2
> > > on Windows XP SP2 (fully patched).
> > >
> > >  * Exploits *
> > >
> > > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > >
> > >  * Affected Products *
> > >
> > > Microsoft Internet Explorer 6 SP1 on Microsoft Windows XP SP1
> > > Microsoft Internet Explorer 6 for Microsoft Windows XP SP2
> > > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003
> > > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 SP1
> > > Microsoft Internet Explorer 6 for Microsoft Windows Server 2003 for
> > > Itanium-based Systems
> > > Microsoft Internet Explorer 6 for Microsoft Windows Server
> > 2003 with SP1 for
> > > Itanium-based Systems
> > > Microsoft Internet Explorer 6 for Microsoft Windows Server
> > 2003 x64 Edition
> > > Microsoft Internet Explorer 6 for Microsoft Windows XP
> > Professional x64
> > > Edition
> > > Microsoft Internet Explorer 5.01 SP4 on Microsoft Windows 2000 SP4
> > > Microsoft Internet Explorer 6 SP1 on Microsoft Windows 2000 SP4
> > >
> > >  * Solution *
> > >
> > > The FrSIRT is not aware of any official supplied patch for
> > this issue.
> > >
> > >  * References *
> > >
> > > http://www.frsirt.com/english/advisories/2005/1450
> > > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > >
> > > Exploit:
> > > http://www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php
> > >
> > > - ferg
> > >
> > >
> > >
> > >
> > >
> > > --
> > > "Fergie", a.k.a. Paul Ferguson
> > >  Engineering Architecture for the Internet
> > >  fergdawg at netzero.net or fergdawg at sbcglobal.net
> > >  ferg's tech blog: http://fergdawg.blogspot.com/
> > >
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > send all posts to list at lists.dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> > >
> > >
> > >
> > >
> >
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list