ADVISORY: MSN Messenger OCX Buffer Overflow

[InfoSec News <isn () c4i org>]

From: "Marc Maiffret" <marc () eeye com>

MSN Messenger OCX Buffer Overflow

Release Date:
5/8/2002

Severity:
High (Remote code execution)

Systems Affected:
Microsoft MSN Chat Control
Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat
control Microsoft Exchange Instant Messenger 4.5 and 4.6, which
includes the MSN Chat control

Description:
A vulnerability has been discovered in the parameter handling of the
MSN Messenger OCX. By exploiting this vulnerability, an attacker can
supply and execute code on any machine on which MSN Messenger with the
activex is installed.

The vulnerability exists because of how MSN Messenger handles data
passed to it which can lead to a buffer overflow scenario. The buffer
overflow can be exploited via email, web, or through any other method
where Internet Explorer is used to display HTML that an attacker
supplies, including software that uses the web browser ActiveX
control.

All users of Internet Explorer are potentially affected because this
is a Microsoft signed OCX. Users that have not installed Microsoft
Messenger or that have not upgraded Microsoft Messenger can only be
affected if they accept the pop-up "Install Now" signed by Microsoft.
All Internet Explorer users should install the update.

Example:

<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"
height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
</object>

Technical Description:

MSNChat ocx is an ActiveX object installed with Microsoft Messenger.
Proper bounds checking is not in place in the ResDLL parameter. By
supplying a very large buffer, we can overwrite a significant portion
of the stack, including saved return addresses and exception handlers.

Even if users do not have Messenger installed, the ActiveX can be
called from the codebase tag which would prompt the user to install
the ActiveX with Microsoft's credentials because the OCX is signed by
Microsoft.

Vulnerability identifier: CAN-2002-0155

Vendor Status:
Microsoft has released a security bulletin and patch. For more information
visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-022.asp

Credit:
Discovery: Drew Copley

Greetings: Mom, Dad, and all of the little people that helped me and
believed in me - oh - and a big YO HO to the homeboyz in the h00d.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert () eEye com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info () eEye com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.