Re: Microsoft MCIWNDX.OCX ActiveX buffer overflow

["Tri Huynh" <trihuynh () zeeup com>]

Hi, List

I'm very happy with all the supportive feedbacks. The MCIWNDX.OCX is
originally shipped with
Visual Studio 5.0 (or VB 5.0) and it is a Microsoft-signed ActiveX
(http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com
:80/support/kb/articles/Q173/3/52.asp&NoWebContent=1)
However, while most of the ActiveXs in Visual Studio 5.0 are updated and
patched in VS 6.0,
MCIWNDX.OCX is not patched, and a new version of the ActiveX called
MCI32.ocx is introduced.
Unfortunately,  MCIWNDX.OCX is still shipped with Visual Studio 6.0 CD and
it is placed
 in "\Common\Tools\Vb\Unsupprt\Mciwindx" folder of the Visual Studio 6.0
Enterprise Edition
Disk 3; and the ActiveX is also installed by default in the Enterprise
Edition. Since it is installed
by default and registered with a CLSID, it is a timing bomb and should be
removed.

As most of us already notice, an unsecure local ActiveX can be exploited by
making a website that tries to
inject shellcode to take control of the client machine. Although the ActiveX
is patched locally, the hacker
can still use the CODEBASE/CLSID properties to instruct the browser to
download a Vulnerable
Microsoft-signed ActiveX and exploit it.

I haven't seen any widespread of ActiveX attacks conducted by hackers yet,
but however, since the
way IE handling ActiveX in default is unsecure, we will probably see many
hacking attemps using this
weakness.

Regards,

Tri Huynh
SentryUnion


PS : I just recognize that several places in my recent post I mistakenly
wrote the
ActiveX name MCWNDX.OCX instead of MCIWNDX.OCX. :-) Sorry for
all the confusing. Now, I figure out that coffee and girls do destroy human
mnemonic :-)






----- Original Message ----- 
From: "Drew Copley" <dcopley () eeye com>
To: <jasonc () science org>; "'Thor Larholm'" <thor () pivx com>; "'Tri Huynh'"
<trihuynh () zeeup com>; <bugtraq () securityfocus com>
Cc: <full-disclosure () lists netsys com>
Sent: Wednesday, August 13, 2003 3:48 PM
Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow


> > -----Original Message-----
> > From: Jason Coombs [mailto:jasonc () science org]
> > Sent: Wednesday, August 13, 2003 12:36 PM
> > To: Thor Larholm; Tri Huynh; bugtraq () securityfocus com
> > Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX
> > buffer overflow
> >
> >
> > What about pointing the OBJECT tag codebase to a known, or
> > probable, location on the victim's own hard drive?
>
> It apparently is not on people's systems, is the point. If it is not the
> multimedia control and there is such an activex, then thor is correct,
> and it can simply be pointed at remotely.
>
> > ActiveX never implemented any type of "same origin policy"
> > the way JavaScript does, so a local codebase reference should
> > work as a technique to silently activate any Microsoft-signed
> > ActiveX control.
>
> Partly true, though I can't run files using activex on your system
> locally, there are various checks now in place.
>
> > But I could be mistaken, this is commentary from memory not
> > experimental result.
>
>
>
> > I'd much rather spend my time conducting security audits of
> > Linux and trying to help those companies threatened by SCO's
> > copyright claims defend themselves in court.
>
> I would rather be home, watching television, or playing a video game.
> Actually, it would be nice to be surfing now. From a purely fantastical
> viewpoint, I suppose bounty hunting would be a bit funner, or perhaps
> being a professional hitman.
>
> Now, back to complete seriousness.
>
> > Jason Coombs
> > jasonc () science org
> >
> > -----Original Message-----
> > From: full-disclosure-admin () lists netsys com
> > [mailto:full-disclosure-admin () lists netsys com]On Behalf Of
> > Thor Larholm
> > Sent: Wednesday, August 13, 2003 8:22 AM
> > To: Tri Huynh; bugtraq () securityfocus com
> > Cc: full-disclosure () lists netsys com
> > Subject: Re: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX
> > buffer overflow
> >
> >
> > The MCWNDX.OCX binary is digitally signed by Microsoft, and
> > as such you can plant it on the users machine just by
> > pointing the codebase attribute of your OBJECT tag to an
> > archived copy of the file on your own server.
> >
> > This also applies to other outdated ActiveX controls, even
> > when a newer
> > (patched)  version exists and is installed on the users
> > machine you can still re-introduce the old, buggy version
> > since it is digitally signed by Microsoft.
> >
> >
> > Regards
> > Thor Larholm
> > PivX Solutions, LLC - Senior Security Researcher
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html