thats why they set kill bits ----- Original Message ----- From: "Thor Larholm" <thorat_private> To: "Tri Huynh" <trihuynhat_private>; <bugtraqat_private> Cc: <full-disclosureat_private> Sent: Wednesday, August 13, 2003 8:21 PM Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow > The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you can > plant it on the users machine just by pointing the codebase attribute of your > OBJECT tag to an archived copy of the file on your own server. > > This also applies to other outdated ActiveX controls, even when a newer > (patched) version exists and is installed on the users machine you can still > re-introduce the old, buggy version since it is digitally signed by Microsoft. > > > Regards > Thor Larholm > PivX Solutions, LLC - Senior Security Researcher > > ----- Original Message ----- > From: "Tri Huynh" <trihuynhat_private> > Subject: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow > > > > > > > > Microsoft MCWNDX.OCX ActiveX buffer overflow > > ================================================= > > > > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW > > HOMEPAGE: www.microsoft.com > > VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to > > support multimedia programming. > > > > DESCRIPTION > > ================================================= > > > > MCWNDX is an activeX shipped with Visual Studio 6 to > > support multimedia programming. Although not many people use it anymore, > > however it still can be called through CLSID in a website and passing a > > large amount of data to the activex will cause an buffer overflow. > > > > Since this Activex is only shipped with VIsual Studio 6.0, so only > > people who are having Visual Studio 6.0 will be affected or people > > who are still using old multimedia programs coded in Visual Studio 6.0 > > (In my PC, the last date the ActiveX is patched is in 1996 ! I am using > > VS Sp 4) > > > > > > DETAILS > > ================================================= > > The ActiveX has a property called "Filename" which is used to specify > > the .mci file to load. However if it is passed with a very large > > string(640KB > > is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite the > > EIP using this overflow in my XP, however it doesn't mean the problem can't > > be exploited) > > > > Microsoft has been noticed but since the hole is maybe minor to them so > > they don't response to me even a short sentence like "Thank you !" > > > > > > > > WORKAROUND > > ================================================= > > > > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are > > using 2000 or XP or in your SYSTEM directory if you are using WIN ME or > > below > > > > > > CREDITS > > ================================================= > > > > Discovered by Tri Huynh from Sentry Union > > > > > > DISLAIMER > > ================================================= > > > > The information within this paper may change without notice. Use of > > this information constitutes acceptance for use in an AS IS condition. > > There are NO warranties with regard to this information. In no event > > shall the author be liable for any damages whatsoever arising out of > > or in connection with the use or spread of this information. Any use > > of this information is at the user's own risk. > > > > > > FEEDBACK > > ================================================= > > > > Please send suggestions, updates, and comments to: trihuynhat_private > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 10:18:17 PDT