RE: Microsoft MCWNDX.OCX ActiveX buffer overflow

["Drew Copley" <dcopley () eeye com>]

I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows
locality issue. Microsoft Multimedia Control fits the description,
though, as you noted. It does have a "FileName" method and uses the .mci
filetype, but on Windows 2000 it is not a safe activex control for
scripting on webpages in the Internet Zone.


> -----Original Message-----
> From: xenophi1e [mailto:oliver.lavery () sympatico ca] 
> Sent: Wednesday, August 13, 2003 10:51 AM
> To: bugtraq () securityfocus com
> Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
>
>
> In-Reply-To: <007201c361df$c311f0c0$329f8018@youru10ixi0anw>
>
>
>
> Does anyone know what the guid for this control is? I don't 
> have it on XP 
>
> with Visual Studio 6 installed. 
>
>
>
> Could this be the same as the Microsoft Multimedia Control, aka 
>
> MCI32.OCX? 
>
>
>
> Cheers,
>
> ~ol
>
>
>
> > Microsoft MCWNDX.OCX ActiveX buffer overflow
>
> > =================================================
>
> >
>
> > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
>
> > HOMEPAGE:  www.microsoft.com
>
> > VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with 
> Visual Studio 6 
> > to
>
> > support multimedia programming.
>
> >
>
> > DESCRIPTION
>
> > =================================================
>
> >
>
> > MCWNDX is an activeX shipped with Visual Studio 6 to
>
> > support multimedia programming. Although not many people use it 
> > anymore,
>
> > however it still can be called through CLSID in a website 
> and passing a
>
> > large amount of data to the activex will cause an buffer overflow.
>
> >
>
> > Since this Activex is only shipped with VIsual Studio 6.0, so only
>
> > people who are having Visual Studio 6.0 will be affected or people
>
> > who are still using old multimedia programs coded in Visual 
> Studio 6.0
>
> > (In my PC, the last date the ActiveX is patched is in 1996 ! 
> I am using
>
> > VS Sp 4)
>
> >
>
> >
>
> > DETAILS
>
> > =================================================
>
> > The ActiveX has a property called "Filename" which is used 
> to specify
>
> > the .mci file to load. However if it is passed with a very large
>
> > string(640KB
>
> > is good enough :-) ), it will cause a bufferoverflow. (I can't 
> > overwrite
>
> the
>
> > EIP using this overflow in my XP, however it doesn't mean the problem
>
> can't
>
> > be exploited)
>
> >
>
> > Microsoft has been noticed but since the hole is maybe minor 
> to them so
>
> > they don't response to me even a short sentence like "Thank you !"
>
> >
>
> >
>
> >
>
> > WORKAROUND
>
> > =================================================
>
> >
>
> > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
>
> > using 2000 or XP or in your SYSTEM directory if you are 
> using WIN ME or
>
> > below
>
> >
>
> >
>
> > CREDITS
>
> > =================================================
>
> >
>
> > Discovered by Tri Huynh from Sentry Union
>
> >
>
> >
>
> > DISLAIMER
>
> > =================================================
>
> >
>
> > The information within this paper may change without notice. Use of
>
> > this information constitutes acceptance for use in an AS IS 
> condition.
>
> > There are NO warranties with regard to this information. In no event
>
> > shall the author be liable for any damages whatsoever arising out of
>
> > or in connection with the use or spread of this information. Any use
>
> > of this information is at the user's own risk.
>
> >
>
> >
>
> > FEEDBACK
>
> > =================================================
>
> >
>
> > Please send suggestions, updates, and comments to: 
> trihuynh () zeeup com
>
> >
>
> >
>
> >