lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001101c36143$31517170$0400000a@pluto>
From: jkuperus at planet.nl (jelmer)
Subject: Microsoft MCWNDX.OCX ActiveX buffer overflow

thats why they set kill bits

----- Original Message ----- 
From: "Thor Larholm" <thor@...x.com>
To: "Tri Huynh" <trihuynh@...up.com>; <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, August 13, 2003 8:21 PM
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow


> The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you
can
> plant it on the users machine just by pointing the codebase attribute of
your
> OBJECT tag to an archived copy of the file on your own server.
>
> This also applies to other outdated ActiveX controls, even when a newer
> (patched)  version exists and is installed on the users machine you can
still
> re-introduce the old, buggy version since it is digitally signed by
Microsoft.
>
>
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
>
> ----- Original Message ----- 
> From: "Tri Huynh" <trihuynh@...up.com>
> Subject: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
>
>
> >
> >
> >  Microsoft MCWNDX.OCX ActiveX buffer overflow
> >  =================================================
> >
> >  PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> > HOMEPAGE:  www.microsoft.com
> > VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6
to
> > support multimedia programming.
> >
> >  DESCRIPTION
> >  =================================================
> >
> >  MCWNDX is an activeX shipped with Visual Studio 6 to
> > support multimedia programming. Although not many people use it anymore,
> > however it still can be called through CLSID in a website and passing a
> > large amount of data to the activex will cause an buffer overflow.
> >
> > Since this Activex is only shipped with VIsual Studio 6.0, so only
> > people who are having Visual Studio 6.0 will be affected or people
> > who are still using old multimedia programs coded in Visual Studio 6.0
> > (In my PC, the last date the ActiveX is patched is in 1996 ! I am using
> > VS Sp 4)
> >
> >
> >  DETAILS
> >  =================================================
> >  The ActiveX has a property called "Filename" which is used to specify
> > the .mci file to load. However if it is passed with a very large
> > string(640KB
> > is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite
the
> > EIP using this overflow in my XP, however it doesn't mean the problem
can't
> > be exploited)
> >
> > Microsoft has been noticed but since the hole is maybe minor to them so
> > they don't response to me even a short sentence like "Thank you !"
> >
> >
> >
> >  WORKAROUND
> >  =================================================
> >
> >  Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> > using 2000 or XP or in your SYSTEM directory if you are using WIN ME or
> > below
> >
> >
> > CREDITS
> >  =================================================
> >
> >  Discovered by Tri Huynh from Sentry Union
> >
> >
> >  DISLAIMER
> >  =================================================
> >
> >  The information within this paper may change without notice. Use of
> >  this information constitutes acceptance for use in an AS IS condition.
> >  There are NO warranties with regard to this information. In no event
> >  shall the author be liable for any damages whatsoever arising out of
> >  or in connection with the use or spread of this information. Any use
> >  of this information is at the user's own risk.
> >
> >
> >  FEEDBACK
> >  =================================================
> >
> >  Please send suggestions, updates, and comments to: trihuynh@...up.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ