[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001101c36143$31517170$0400000a@pluto>
Date: Wed, 13 Aug 2003 04:32:51 +0200
From: jelmer <jkuperus@...net.nl>
To: Thor Larholm <thor@...x.com>, Tri Huynh <trihuynh@...up.com>,
bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
thats why they set kill bits
----- Original Message -----
From: "Thor Larholm" <thor@...x.com>
To: "Tri Huynh" <trihuynh@...up.com>; <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, August 13, 2003 8:21 PM
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
> The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you
can
> plant it on the users machine just by pointing the codebase attribute of
your
> OBJECT tag to an archived copy of the file on your own server.
>
> This also applies to other outdated ActiveX controls, even when a newer
> (patched) version exists and is installed on the users machine you can
still
> re-introduce the old, buggy version since it is digitally signed by
Microsoft.
>
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
>
> ----- Original Message -----
> From: "Tri Huynh" <trihuynh@...up.com>
> Subject: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
>
>
> >
> >
> > Microsoft MCWNDX.OCX ActiveX buffer overflow
> > =================================================
> >
> > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> > HOMEPAGE: www.microsoft.com
> > VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6
to
> > support multimedia programming.
> >
> > DESCRIPTION
> > =================================================
> >
> > MCWNDX is an activeX shipped with Visual Studio 6 to
> > support multimedia programming. Although not many people use it anymore,
> > however it still can be called through CLSID in a website and passing a
> > large amount of data to the activex will cause an buffer overflow.
> >
> > Since this Activex is only shipped with VIsual Studio 6.0, so only
> > people who are having Visual Studio 6.0 will be affected or people
> > who are still using old multimedia programs coded in Visual Studio 6.0
> > (In my PC, the last date the ActiveX is patched is in 1996 ! I am using
> > VS Sp 4)
> >
> >
> > DETAILS
> > =================================================
> > The ActiveX has a property called "Filename" which is used to specify
> > the .mci file to load. However if it is passed with a very large
> > string(640KB
> > is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite
the
> > EIP using this overflow in my XP, however it doesn't mean the problem
can't
> > be exploited)
> >
> > Microsoft has been noticed but since the hole is maybe minor to them so
> > they don't response to me even a short sentence like "Thank you !"
> >
> >
> >
> > WORKAROUND
> > =================================================
> >
> > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> > using 2000 or XP or in your SYSTEM directory if you are using WIN ME or
> > below
> >
> >
> > CREDITS
> > =================================================
> >
> > Discovered by Tri Huynh from Sentry Union
> >
> >
> > DISLAIMER
> > =================================================
> >
> > The information within this paper may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS condition.
> > There are NO warranties with regard to this information. In no event
> > shall the author be liable for any damages whatsoever arising out of
> > or in connection with the use or spread of this information. Any use
> > of this information is at the user's own risk.
> >
> >
> > FEEDBACK
> > =================================================
> >
> > Please send suggestions, updates, and comments to: trihuynh@...up.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists