[ISN] ADVISORY: MSN Messenger OCX Buffer Overflow

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:06:26 PDT

  • Next message: InfoSec News: "[ISN] Prosecutors say crime spree wreaked havoc"

    From: "Marc Maiffret" <marcat_private>
    
    MSN Messenger OCX Buffer Overflow
    
    Release Date:
    5/8/2002
    
    Severity:
    High (Remote code execution)
    
    Systems Affected:
    Microsoft MSN Chat Control
    Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat
    control Microsoft Exchange Instant Messenger 4.5 and 4.6, which
    includes the MSN Chat control
    
    Description:
    A vulnerability has been discovered in the parameter handling of the
    MSN Messenger OCX. By exploiting this vulnerability, an attacker can
    supply and execute code on any machine on which MSN Messenger with the
    activex is installed.
    
    The vulnerability exists because of how MSN Messenger handles data
    passed to it which can lead to a buffer overflow scenario. The buffer
    overflow can be exploited via email, web, or through any other method
    where Internet Explorer is used to display HTML that an attacker
    supplies, including software that uses the web browser ActiveX
    control.
    
    All users of Internet Explorer are potentially affected because this
    is a Microsoft signed OCX. Users that have not installed Microsoft
    Messenger or that have not upgraded Microsoft Messenger can only be
    affected if they accept the pop-up "Install Now" signed by Microsoft.
    All Internet Explorer users should install the update.
    
    Example:
    
    <object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"
    height="523">
    <param name="_cx" value="12039">
    <param name="_cy" value="13838">
    <param name="BackColor" value="50331647">
    <param name="ForeColor" value="43594547">
    <param name="RedirectURL" value="">
    <param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
    </object>
    
    Technical Description:
    
    MSNChat ocx is an ActiveX object installed with Microsoft Messenger.
    Proper bounds checking is not in place in the ResDLL parameter. By
    supplying a very large buffer, we can overwrite a significant portion
    of the stack, including saved return addresses and exception handlers.
    
    Even if users do not have Messenger installed, the ActiveX can be
    called from the codebase tag which would prompt the user to install
    the ActiveX with Microsoft's credentials because the OCX is signed by
    Microsoft.
    
    Vulnerability identifier: CAN-2002-0155
    
    Vendor Status:
    Microsoft has released a security bulletin and patch. For more information
    visit:
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    bulletin/MS02-022.asp
    
    Credit:
    Discovery: Drew Copley
    
    Greetings: Mom, Dad, and all of the little people that helped me and
    believed in me - oh - and a big YO HO to the homeboyz in the h00d.
    
    Copyright (c) 1998-2002 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express
    consent of eEye. If you wish to reprint the whole or any part of this
    alert in any other medium excluding electronic medium, please e-mail
    alertat_private for permission.
    
    Disclaimer
    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.
    
    Feedback
    Please send suggestions, updates, and comments to:
    
    eEye Digital Security
    http://www.eEye.com
    infoat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:43:24 PDT