Bugtraq mailing list archives
Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
From: jelmer <jkuperus () planet nl>
Date: Wed, 13 Aug 2003 04:32:51 +0200
thats why they set kill bits ----- Original Message ----- From: "Thor Larholm" <thor () pivx com> To: "Tri Huynh" <trihuynh () zeeup com>; <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Sent: Wednesday, August 13, 2003 8:21 PM Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you
can
plant it on the users machine just by pointing the codebase attribute of
your
OBJECT tag to an archived copy of the file on your own server. This also applies to other outdated ActiveX controls, even when a newer (patched) version exists and is installed on the users machine you can
still
re-introduce the old, buggy version since it is digitally signed by
Microsoft.
Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher ----- Original Message ----- From: "Tri Huynh" <trihuynh () zeeup com> Subject: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflowMicrosoft MCWNDX.OCX ActiveX buffer overflow ================================================= PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW HOMEPAGE: www.microsoft.com VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6
to
support multimedia programming. DESCRIPTION ================================================= MCWNDX is an activeX shipped with Visual Studio 6 to support multimedia programming. Although not many people use it anymore, however it still can be called through CLSID in a website and passing a large amount of data to the activex will cause an buffer overflow. Since this Activex is only shipped with VIsual Studio 6.0, so only people who are having Visual Studio 6.0 will be affected or people who are still using old multimedia programs coded in Visual Studio 6.0 (In my PC, the last date the ActiveX is patched is in 1996 ! I am using VS Sp 4) DETAILS ================================================= The ActiveX has a property called "Filename" which is used to specify the .mci file to load. However if it is passed with a very large string(640KB is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite
the
EIP using this overflow in my XP, however it doesn't mean the problem
can't
be exploited) Microsoft has been noticed but since the hole is maybe minor to them so they don't response to me even a short sentence like "Thank you !" WORKAROUND ================================================= Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are using 2000 or XP or in your SYSTEM directory if you are using WIN ME or below CREDITS ================================================= Discovered by Tri Huynh from Sentry Union DISLAIMER ================================================= The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. FEEDBACK ================================================= Please send suggestions, updates, and comments to: trihuynh () zeeup com_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Microsoft MCWNDX.OCX ActiveX buffer overflow Tri Huynh (Aug 13)
- Message not available
- Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow jelmer (Aug 14)
- Message not available
- <Possible follow-ups>
- Re: Microsoft MCWNDX.OCX ActiveX buffer overflow xenophi1e (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Oliver Lavery (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 13)