Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow

[jelmer <jkuperus () planet nl>]

thats why they set kill bits

----- Original Message ----- 
From: "Thor Larholm" <thor () pivx com>
To: "Tri Huynh" <trihuynh () zeeup com>; <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Wednesday, August 13, 2003 8:21 PM
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow


> The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you
can
> plant it on the users machine just by pointing the codebase attribute of
your
> OBJECT tag to an archived copy of the file on your own server.
>
> This also applies to other outdated ActiveX controls, even when a newer
> (patched)  version exists and is installed on the users machine you can
still
> re-introduce the old, buggy version since it is digitally signed by
Microsoft.
> Regards
> Thor Larholm
> PivX Solutions, LLC - Senior Security Researcher
>
> ----- Original Message ----- 
> From: "Tri Huynh" <trihuynh () zeeup com>
> Subject: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
>
>
> >  Microsoft MCWNDX.OCX ActiveX buffer overflow
> >  =================================================
> >
> >  PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> > HOMEPAGE:  www.microsoft.com
> > VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6
to
> > support multimedia programming.
> >
> >  DESCRIPTION
> >  =================================================
> >
> >  MCWNDX is an activeX shipped with Visual Studio 6 to
> > support multimedia programming. Although not many people use it anymore,
> > however it still can be called through CLSID in a website and passing a
> > large amount of data to the activex will cause an buffer overflow.
> >
> > Since this Activex is only shipped with VIsual Studio 6.0, so only
> > people who are having Visual Studio 6.0 will be affected or people
> > who are still using old multimedia programs coded in Visual Studio 6.0
> > (In my PC, the last date the ActiveX is patched is in 1996 ! I am using
> > VS Sp 4)
> >
> >
> >  DETAILS
> >  =================================================
> >  The ActiveX has a property called "Filename" which is used to specify
> > the .mci file to load. However if it is passed with a very large
> > string(640KB
> > is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite
the
> > EIP using this overflow in my XP, however it doesn't mean the problem
can't
> > be exploited)
> >
> > Microsoft has been noticed but since the hole is maybe minor to them so
> > they don't response to me even a short sentence like "Thank you !"
> >
> >
> >
> >  WORKAROUND
> >  =================================================
> >
> >  Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> > using 2000 or XP or in your SYSTEM directory if you are using WIN ME or
> > below
> >
> >
> > CREDITS
> >  =================================================
> >
> >  Discovered by Tri Huynh from Sentry Union
> >
> >
> >  DISLAIMER
> >  =================================================
> >
> >  The information within this paper may change without notice. Use of
> >  this information constitutes acceptance for use in an AS IS condition.
> >  There are NO warranties with regard to this information. In no event
> >  shall the author be liable for any damages whatsoever arising out of
> >  or in connection with the use or spread of this information. Any use
> >  of this information is at the user's own risk.
> >
> >
> >  FEEDBACK
> >  =================================================
> >
> >  Please send suggestions, updates, and comments to: trihuynh () zeeup com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html