lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBKEKGGHAA.jasonc@science.org>
From: jasonc at science.org (Jason Coombs)
Subject: Microsoft MCWNDX.OCX ActiveX buffer overflow

What about pointing the OBJECT tag codebase to a known, or probable, location
on the victim's own hard drive?

ActiveX never implemented any type of "same origin policy" the way JavaScript
does, so a local codebase reference should work as a technique to silently
activate any Microsoft-signed ActiveX control.

But I could be mistaken, this is commentary from memory not experimental
result.

I'd much rather spend my time conducting security audits of Linux and trying
to help those companies threatened by SCO's copyright claims defend themselves
in court.

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Thor Larholm
Sent: Wednesday, August 13, 2003 8:22 AM
To: Tri Huynh; bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer
overflow


The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you can
plant it on the users machine just by pointing the codebase attribute of your
OBJECT tag to an archived copy of the file on your own server.

This also applies to other outdated ActiveX controls, even when a newer
(patched)  version exists and is installed on the users machine you can still
re-introduce the old, buggy version since it is digitally signed by Microsoft.


Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ