lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 13 Aug 2003 11:44:14 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "'xenophi1e'" <oliver.lavery@...patico.ca>,
	<bugtraq@...urityfocus.com>, <trihuynh@...up.com>
Subject: RE: Microsoft MCWNDX.OCX ActiveX buffer overflow



I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows
locality issue. Microsoft Multimedia Control fits the description,
though, as you noted. It does have a "FileName" method and uses the .mci
filetype, but on Windows 2000 it is not a safe activex control for
scripting on webpages in the Internet Zone.


> -----Original Message-----
> From: xenophi1e [mailto:oliver.lavery@...patico.ca] 
> Sent: Wednesday, August 13, 2003 10:51 AM
> To: bugtraq@...urityfocus.com
> Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
> 
> 
> In-Reply-To: <007201c361df$c311f0c0$329f8018@...ru10ixi0anw>
> 
> 
> 
> Does anyone know what the guid for this control is? I don't 
> have it on XP 
> 
> with Visual Studio 6 installed. 
> 
> 
> 
> Could this be the same as the Microsoft Multimedia Control, aka 
> 
> MCI32.OCX? 
> 
> 
> 
> Cheers,
> 
> ~ol
> 
> 
> 
> > Microsoft MCWNDX.OCX ActiveX buffer overflow
> 
> > =================================================
> 
> >
> 
> > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> 
> >HOMEPAGE:  www.microsoft.com
> 
> >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with 
> Visual Studio 6 
> >to
> 
> >support multimedia programming.
> 
> >
> 
> > DESCRIPTION
> 
> > =================================================
> 
> >
> 
> > MCWNDX is an activeX shipped with Visual Studio 6 to
> 
> >support multimedia programming. Although not many people use it 
> >anymore,
> 
> >however it still can be called through CLSID in a website 
> and passing a
> 
> >large amount of data to the activex will cause an buffer overflow.
> 
> >
> 
> >Since this Activex is only shipped with VIsual Studio 6.0, so only
> 
> >people who are having Visual Studio 6.0 will be affected or people
> 
> >who are still using old multimedia programs coded in Visual 
> Studio 6.0
> 
> >(In my PC, the last date the ActiveX is patched is in 1996 ! 
> I am using
> 
> >VS Sp 4)
> 
> >
> 
> >
> 
> > DETAILS
> 
> > =================================================
> 
> > The ActiveX has a property called "Filename" which is used 
> to specify
> 
> >the .mci file to load. However if it is passed with a very large
> 
> >string(640KB
> 
> >is good enough :-) ), it will cause a bufferoverflow. (I can't 
> >overwrite
> 
> the
> 
> >EIP using this overflow in my XP, however it doesn't mean the problem
> 
> can't
> 
> >be exploited)
> 
> >
> 
> >Microsoft has been noticed but since the hole is maybe minor 
> to them so
> 
> >they don't response to me even a short sentence like "Thank you !"
> 
> >
> 
> >
> 
> >
> 
> > WORKAROUND
> 
> > =================================================
> 
> >
> 
> > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> 
> >using 2000 or XP or in your SYSTEM directory if you are 
> using WIN ME or
> 
> >below
> 
> >
> 
> >
> 
> >CREDITS
> 
> > =================================================
> 
> >
> 
> > Discovered by Tri Huynh from Sentry Union
> 
> >
> 
> >
> 
> > DISLAIMER
> 
> > =================================================
> 
> >
> 
> > The information within this paper may change without notice. Use of
> 
> > this information constitutes acceptance for use in an AS IS 
> condition.
> 
> > There are NO warranties with regard to this information. In no event
> 
> > shall the author be liable for any damages whatsoever arising out of
> 
> > or in connection with the use or spread of this information. Any use
> 
> > of this information is at the user's own risk.
> 
> >
> 
> >
> 
> > FEEDBACK
> 
> > =================================================
> 
> >
> 
> > Please send suggestions, updates, and comments to: 
> trihuynh@...up.com
> 
> >
> 
> >
> 
> >
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ