lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c361ec$f6003250$2b02a8c0@dcopley>
From: dcopley at eeye.com (Drew Copley)
Subject: Microsoft MCWNDX.OCX ActiveX buffer overflow


> -----Original Message-----
> From: Jason Coombs [mailto:jasonc@...ence.org] 
> Sent: Wednesday, August 13, 2003 12:36 PM
> To: Thor Larholm; Tri Huynh; bugtraq@...urityfocus.com
> Subject: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX 
> buffer overflow
> 
> 
> What about pointing the OBJECT tag codebase to a known, or 
> probable, location on the victim's own hard drive?

It apparently is not on people's systems, is the point. If it is not the
multimedia control and there is such an activex, then thor is correct,
and it can simply be pointed at remotely.

> 
> ActiveX never implemented any type of "same origin policy" 
> the way JavaScript does, so a local codebase reference should 
> work as a technique to silently activate any Microsoft-signed 
> ActiveX control.

Partly true, though I can't run files using activex on your system
locally, there are various checks now in place.

> 
> But I could be mistaken, this is commentary from memory not 
> experimental result.
> 



> I'd much rather spend my time conducting security audits of 
> Linux and trying to help those companies threatened by SCO's 
> copyright claims defend themselves in court.
> 

I would rather be home, watching television, or playing a video game.
Actually, it would be nice to be surfing now. From a purely fantastical
viewpoint, I suppose bounty hunting would be a bit funner, or perhaps
being a professional hitman. 

Now, back to complete seriousness. 

> Jason Coombs
> jasonc@...ence.org
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of 
> Thor Larholm
> Sent: Wednesday, August 13, 2003 8:22 AM
> To: Tri Huynh; bugtraq@...urityfocus.com
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX 
> buffer overflow
> 
> 
> The MCWNDX.OCX binary is digitally signed by Microsoft, and 
> as such you can plant it on the users machine just by 
> pointing the codebase attribute of your OBJECT tag to an 
> archived copy of the file on your own server.
> 
> This also applies to other outdated ActiveX controls, even 
> when a newer
> (patched)  version exists and is installed on the users 
> machine you can still re-introduce the old, buggy version 
> since it is digitally signed by Microsoft.
> 
> 
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ