In pwn2own 2010 Peter Vreugdenhil founder of Vreugdenhil Research, Holland found a vulnerability in Microsoft Data Access Components which allowed him to pwn windows. The vulnerability was a int wrap during heap allocation which was later used to store a bit more information then would fit in there. To be more specific as he explains at his blog -
Inside an HTML file would give you access to what is called an XML Data Island. This is actually acts as an database interface. You can query the XML data, retrieve rows and data and add more rows. The underlying object is an MSAdo object.
The db objects exposes a property called ‘CacheSize’ that you can use to determine how many records it should keep in its cache. Internally the CacheSize is multiplied by 0×4 and then 0×10 is added (I am typing this from memory so I might be a bit off, but the rough data is correct).
You can read about the vulnerability at Vreugdenhil Research .
Pwn2Own – Paper by Peter Vreugdenhil
Like This post ? You can buy me a Beer :)