Bugtraq mailing list archives

RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow

From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 13 Aug 2003 15:48:06 -0700

-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org] 
Sent: Wednesday, August 13, 2003 12:36 PM
To: Thor Larholm; Tri Huynh; bugtraq () securityfocus com
Subject: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX 
buffer overflow


What about pointing the OBJECT tag codebase to a known, or 
probable, location on the victim's own hard drive?


It apparently is not on people's systems, is the point. If it is not the
multimedia control and there is such an activex, then thor is correct,
and it can simply be pointed at remotely.


ActiveX never implemented any type of "same origin policy" 
the way JavaScript does, so a local codebase reference should 
work as a technique to silently activate any Microsoft-signed 
ActiveX control.


Partly true, though I can't run files using activex on your system
locally, there are various checks now in place.


But I could be mistaken, this is commentary from memory not 
experimental result.

I'd much rather spend my time conducting security audits of 
Linux and trying to help those companies threatened by SCO's 
copyright claims defend themselves in court.


I would rather be home, watching television, or playing a video game.
Actually, it would be nice to be surfing now. From a purely fantastical
viewpoint, I suppose bounty hunting would be a bit funner, or perhaps
being a professional hitman. 

Now, back to complete seriousness.

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of 
Thor Larholm
Sent: Wednesday, August 13, 2003 8:22 AM
To: Tri Huynh; bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX 
buffer overflow

The MCWNDX.OCX binary is digitally signed by Microsoft, and 
as such you can plant it on the users machine just by 
pointing the codebase attribute of your OBJECT tag to an 
archived copy of the file on your own server.

This also applies to other outdated ActiveX controls, even 
when a newer
(patched)  version exists and is installed on the users 
machine you can still re-introduce the old, buggy version 
since it is digitally signed by Microsoft.

Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

Current thread:

RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow Jason Coombs (Aug 13)
- RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 14)