RE: Microsoft MCIWNDX.OCX ActiveX buffer overflow

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Tri Huynh trihuynh () zeeup com 
> Subject: [Full-disclosure] Microsoft MCIWNDX.OCX ActiveX 
> buffer overflow 
>
>
> Hi, List
>
> I'm very happy with all the supportive feedbacks. The 
> MCIWNDX.OCX is originally shipped with Visual Studio 5.0 (or 
> VB 5.0) and it is a Microsoft-signed ActiveX 
> (http://support.microsoft.com/default.aspx?scid=http://support
> .microsoft
> .com
> :80/support/kb/articles/Q173/3/52.asp&NoWebContent=1)
> However, while most of the ActiveXs in Visual Studio 5.0 are 
> updated and patched in VS 6.0, MCIWNDX.OCX is not patched, 
> and a new version of the ActiveX called MCI32.ocx is 
> introduced. Unfortunately,  MCIWNDX.OCX is still shipped with 
> Visual Studio 6.0 CD and it is placed  in 
> "\Common\Tools\Vb\Unsupprt\Mciwindx" folder of the Visual 
> Studio 6.0 Enterprise Edition Disk 3; and the ActiveX is also 
> installed by default in the Enterprise Edition. Since it is 
> installed by default and registered with a CLSID, it is a 
> timing bomb and should be removed.
>
> As most of us already notice, an unsecure local ActiveX can 
> be exploited by making a website that tries to inject 
> shellcode to take control of the client machine. Although the 
> ActiveX is patched locally, the hacker can still use the 
> CODEBASE/CLSID properties to instruct the browser to download 
> a Vulnerable Microsoft-signed ActiveX and exploit it.
>
> I haven't seen any widespread of ActiveX attacks conducted by 
> hackers yet, but however, since the way IE handling ActiveX 
> in default is unsecure, we will probably see many hacking 
> attemps using this weakness.
>
> Regards,
>
> Tri Huynh
> SentryUnion
>
>
> PS : I just recognize that several places in my recent post I 
> mistakenly wrote the ActiveX name MCWNDX.OCX instead of 
> MCIWNDX.OCX. :-) Sorry for all the confusing. Now, I figure 
> out that coffee and girls do destroy human mnemonic :-)

Ah, yes... Looking back on it, I see it now. That is what I get for
looking at the copy of the report. MCIWNDX.OCX was mentioned once, at
the first, and this was cut out of subsequent replies apparently by
mistake.

The issue, btw, sounds like a heap based overflow, as opposed to a stack
based overflow. Generally, these issues can be exploitable, but it can
tend to be very difficult to exploit them universally. 

I hope that Microsoft sees this. Visual Studio 6 is still used by an
enormous amount of people, and I am not sure if uninstalling it will
even remove the activex... And regardless, as Thor pointed out and as
Guninski originally noted, these activex are signed. You will have to
click "Okay" still to install them, however, though it will say,
'Approved by Microsoft'.

Unfortunately, Microsoft may not see this post, and they seem to have
ignored the original post you made to security@microsoft. When they do
not reply, that generally means they could not find the bug, they could
not duplicate it, and they do not know you. Rather rude and
unprofessional. Maybe they can fix this problem.

If they do not see this post, then there will be this effective zero day
out there. 95% of the world uses Internet Explorer according to the
latest stats. With around 400 million internet users and these being -
generally - the wealthiest of the world... This is quite an open door.

Now, back to my fantasies about being a hitman instead of a security
researcher. ;)



> ----- Original Message ----- 
> From: "Drew Copley" <dcopley () eeye com>
> To: <jasonc () science org>; "'Thor Larholm'" <thor () pivx com>; 
> "'Tri Huynh'" <trihuynh () zeeup com>; <bugtraq () securityfocus com>
> Cc: <full-disclosure () lists netsys com>
> Sent: Wednesday, August 13, 2003 3:48 PM
> Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX 
> buffer overflow
>
>
> > > -----Original Message-----
> > > From: Jason Coombs [mailto:jasonc () science org]
> > > Sent: Wednesday, August 13, 2003 12:36 PM
> > > To: Thor Larholm; Tri Huynh; bugtraq () securityfocus com
> > > Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCX 
> ActiveX buffer 
> > > overflow
> > >
> > >
> > > What about pointing the OBJECT tag codebase to a known, 
> or probable, 
> > > location on the victim's own hard drive?
> >
> > It apparently is not on people's systems, is the point. If it is not
> the
> > multimedia control and there is such an activex, then thor 
> is correct, 
> > and it can simply be pointed at remotely.
> >
> > > ActiveX never implemented any type of "same origin 
> policy" the way 
> > > JavaScript does, so a local codebase reference should work as a 
> > > technique to silently activate any Microsoft-signed 
> ActiveX control.
> > Partly true, though I can't run files using activex on your system 
> > locally, there are various checks now in place.
> >
> > > But I could be mistaken, this is commentary from memory not 
> > > experimental result.
> >
> >
> >
> > > I'd much rather spend my time conducting security audits of Linux 
> > > and trying to help those companies threatened by SCO's copyright 
> > > claims defend themselves in court.
> >
> > I would rather be home, watching television, or playing a 
> video game. 
> > Actually, it would be nice to be surfing now. From a purely
> fantastical
> > viewpoint, I suppose bounty hunting would be a bit funner, 
> or perhaps 
> > being a professional hitman.
> >
> > Now, back to complete seriousness.
> >
> > > Jason Coombs
> > > jasonc () science org
> > >
> > > -----Original Message-----
> > > From: full-disclosure-admin () lists netsys com
> > > [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Thor 
> > > Larholm
> > > Sent: Wednesday, August 13, 2003 8:22 AM
> > > To: Tri Huynh; bugtraq () securityfocus com
> > > Cc: full-disclosure () lists netsys com
> > > Subject: Re: [Full-disclosure] Microsoft MCWNDX.OCX 
> ActiveX buffer 
> > > overflow
> > >
> > >
> > > The MCWNDX.OCX binary is digitally signed by Microsoft, 
> and as such 
> > > you can plant it on the users machine just by pointing 
> the codebase 
> > > attribute of your OBJECT tag to an archived copy of the 
> file on your 
> > > own server.
> > >
> > > This also applies to other outdated ActiveX controls, even when a 
> > > newer
> > > (patched)  version exists and is installed on the users 
> machine you 
> > > can still re-introduce the old, buggy version since it is 
> digitally 
> > > signed by Microsoft.
> > >
> > >
> > > Regards
> > > Thor Larholm
> > > PivX Solutions, LLC - Senior Security Researcher
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html