Microsoft MCWNDX.OCX ActiveX buffer overflow

From: Tri Huynh (trihuynhat_private)
Date: Wed Aug 13 2003 - 14:13:34 PDT

Next message: SGI Security Coordinator: "[VulnWatch] Denial of Service Vulnerability in NFS on IRIX"

Previous message: G00db0y: "ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability"
Next in thread: xenophi1e: "Re: Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: xenophi1e: "Re: Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: Thor Larholm: "Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: Joey: "[Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Microsoft MCWNDX.OCX ActiveX buffer overflow
 =================================================

 PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
HOMEPAGE:  www.microsoft.com
VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to
support multimedia programming.

 DESCRIPTION
 =================================================

 MCWNDX is an activeX shipped with Visual Studio 6 to
support multimedia programming. Although not many people use it anymore,
however it still can be called through CLSID in a website and passing a
large amount of data to the activex will cause an buffer overflow.

Since this Activex is only shipped with VIsual Studio 6.0, so only
people who are having Visual Studio 6.0 will be affected or people
who are still using old multimedia programs coded in Visual Studio 6.0
(In my PC, the last date the ActiveX is patched is in 1996 ! I am using
VS Sp 4)


 DETAILS
 =================================================
 The ActiveX has a property called "Filename" which is used to specify
the .mci file to load. However if it is passed with a very large
string(640KB
is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite the
EIP using this overflow in my XP, however it doesn't mean the problem can't
be exploited)

Microsoft has been noticed but since the hole is maybe minor to them so
they don't response to me even a short sentence like "Thank you !"



 WORKAROUND
 =================================================

 Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
using 2000 or XP or in your SYSTEM directory if you are using WIN ME or
below


CREDITS
 =================================================

 Discovered by Tri Huynh from Sentry Union


 DISLAIMER
 =================================================

 The information within this paper may change without notice. Use of
 this information constitutes acceptance for use in an AS IS condition.
 There are NO warranties with regard to this information. In no event
 shall the author be liable for any damages whatsoever arising out of
 or in connection with the use or spread of this information. Any use
 of this information is at the user's own risk.


 FEEDBACK
 =================================================

 Please send suggestions, updates, and comments to: trihuynhat_private

Next message: SGI Security Coordinator: "[VulnWatch] Denial of Service Vulnerability in NFS on IRIX"
Previous message: G00db0y: "ZH2003-24SA (security advisory): ChitChat.NET XSS Vulnerability"
Next in thread: xenophi1e: "Re: Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: xenophi1e: "Re: Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: Thor Larholm: "Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow"
Reply: Joey: "[Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 10:15:52 PDT