| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 13 Aug 2003 17:50:32 -0000 From: xenophi1e <oliver.lavery@...patico.ca> To: bugtraq@...urityfocus.com Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow In-Reply-To: <007201c361df$c311f0c0$329f8018@...ru10ixi0anw> Does anyone know what the guid for this control is? I don't have it on XP with Visual Studio 6 installed. Could this be the same as the Microsoft Multimedia Control, aka MCI32.OCX? Cheers, ~ol > Microsoft MCWNDX.OCX ActiveX buffer overflow > ================================================= > > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW >HOMEPAGE: www.microsoft.com >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to >support multimedia programming. > > DESCRIPTION > ================================================= > > MCWNDX is an activeX shipped with Visual Studio 6 to >support multimedia programming. Although not many people use it anymore, >however it still can be called through CLSID in a website and passing a >large amount of data to the activex will cause an buffer overflow. > >Since this Activex is only shipped with VIsual Studio 6.0, so only >people who are having Visual Studio 6.0 will be affected or people >who are still using old multimedia programs coded in Visual Studio 6.0 >(In my PC, the last date the ActiveX is patched is in 1996 ! I am using >VS Sp 4) > > > DETAILS > ================================================= > The ActiveX has a property called "Filename" which is used to specify >the .mci file to load. However if it is passed with a very large >string(640KB >is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite the >EIP using this overflow in my XP, however it doesn't mean the problem can't >be exploited) > >Microsoft has been noticed but since the hole is maybe minor to them so >they don't response to me even a short sentence like "Thank you !" > > > > WORKAROUND > ================================================= > > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are >using 2000 or XP or in your SYSTEM directory if you are using WIN ME or >below > > >CREDITS > ================================================= > > Discovered by Tri Huynh from Sentry Union > > > DISLAIMER > ================================================= > > The information within this paper may change without notice. Use of > this information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event > shall the author be liable for any damages whatsoever arising out of > or in connection with the use or spread of this information. Any use > of this information is at the user's own risk. > > > FEEDBACK > ================================================= > > Please send suggestions, updates, and comments to: trihuynh@...up.com > > >
Powered by blists - more mailing lists