Subject: [NT] Additional details on the System Monitor ActiveX buffer overflow Date: Mon, 6 Nov 2000 07:48:59 +0100 Additional details on the System Monitor ActiveX buffer overflow ------------------------------------------------------------------------ SUMMARY The USSR Team has found a vulnerability in the Microsoft System Monitor ActiveX control (class id: C4D2D8E0-D1DD-11CE-940F-008029004347, sysmon.ocx). The Value field name "LogFileName" could be used by a malicious web server operator to potentially run code on a visiting user's machine. The vulnerability can only be exploited if ActiveX controls are enabled in Internet Explorer, Outlook or Outlook Express. DETAILS Vulnerable systems: Microsoft Windows 2000 Server Microsoft Windows 2000 Professional Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Datacenter Server Example exploit page: If a user accesses an HTML page with the above code, IE, Outlook and Outlook Express will crash. The following error message will appear in the event log: "Application popup: iexplore.exe - Application Error : The instruction at "0x64a8e132" referenced memory at "0x006100dd". The memory could not be "written". Online examples: Warning: Visiting the following pages might cause your browser to crash. http://www.ussrback.com/microsoft/msmactivex.html http://www.ussrback.com/microsoft/msmactivex2.html Patch: For more information about a patch for this vulnerability see our previous article: ActiveX Parameter Validation vulnerability (Patch available) ADDITIONAL INFORMATION The information has been provided by USSR Labs. ======================================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.