OSVDB ID: 24517

Title: Microsoft Data Access Components RDS.Dataspace ActiveX Remote Code Execution

Info

Disclosure

Apr 11, 2006

Discovery

Unknown

Dates

Exploit

Jul 21, 2006

Solution

Apr 11, 2006

Description

Microsoft RDS.Dataspace ActiveX control, which is distributed with Microsoft Data Access Components, contains a flaw that may allow an attacker to execute code in the context of the user visiting a malicious web page. No further details have been provided.

Classification

Location: Remote / Network Access, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified

Solution

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): disable execution of activeX controls in Internet Explorer

Products

Microsoft Corporation	MDAC	2.8
		2.7
		2.7 SP1
		2.5 SP3
		2.8 SP2
		2.8 SP1

References

Security Tracker: 1015894
Bugtraq ID: 17462
Secunia Advisory ID: 19583 20719
CVE ID: 2006-0003 (see also: NVD)
Milw0rm: 2052
Exploit Database: 2052
Metasploit ID: 24517
Microsoft Knowledge Base Article: 911562
Other Advisory URL: http://community.websense.com/blogs/securitylabs/archive/2010/05/07/phpnuke-org-has-been-compromised.aspx
Generic Exploit URL: http://immunitysec.com
http://metasploit.com/projects/Framework/exploits.html#ie_createobject
http://www.blacksecurity.org/download/61/BL4CK_FR1D4Y_2006-07-21
http://www.saintcorporation.com/cgi-bin/exploit_info/mdac_rds_dataspace
http://www.securityfocus.com/data/vulnerabilities/exploits/bl4ck_ms06_014.py
Mail List Post: http://seclists.org/fulldisclosure/2006/Jul/472
Vendor Specific Advisory URL: http://www.hitachi-support.com/security_e/vuls_e/HS06-013_e/index-e.html
Keyword: MDAC
Microsoft Security Bulletin: MS06-014

Credit

Golan Yosef - Finjan
Stefano Meller - Yarix
Mirko Gatto - Yarix

Direct URL: http://osvdb.org/24517

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Microsoft Corporation

MDAC

References

Credit