Full Disclosure mailing list archives
RE: Microsoft MCIWNDX.OCX ActiveX buffer overflow
From: "Drew Copley" <dcopley () eeye com>
Date: Fri, 15 Aug 2003 11:27:41 -0700
-----Original Message----- From: Tri Huynh trihuynh () zeeup com Subject: [Full-disclosure] Microsoft MCIWNDX.OCX ActiveX buffer overflow Hi, List I'm very happy with all the supportive feedbacks. The MCIWNDX.OCX is originally shipped with Visual Studio 5.0 (or VB 5.0) and it is a Microsoft-signed ActiveX (http://support.microsoft.com/default.aspx?scid=http://support .microsoft .com :80/support/kb/articles/Q173/3/52.asp&NoWebContent=1) However, while most of the ActiveXs in Visual Studio 5.0 are updated and patched in VS 6.0, MCIWNDX.OCX is not patched, and a new version of the ActiveX called MCI32.ocx is introduced. Unfortunately, MCIWNDX.OCX is still shipped with Visual Studio 6.0 CD and it is placed in "\Common\Tools\Vb\Unsupprt\Mciwindx" folder of the Visual Studio 6.0 Enterprise Edition Disk 3; and the ActiveX is also installed by default in the Enterprise Edition. Since it is installed by default and registered with a CLSID, it is a timing bomb and should be removed. As most of us already notice, an unsecure local ActiveX can be exploited by making a website that tries to inject shellcode to take control of the client machine. Although the ActiveX is patched locally, the hacker can still use the CODEBASE/CLSID properties to instruct the browser to download a Vulnerable Microsoft-signed ActiveX and exploit it. I haven't seen any widespread of ActiveX attacks conducted by hackers yet, but however, since the way IE handling ActiveX in default is unsecure, we will probably see many hacking attemps using this weakness. Regards, Tri Huynh SentryUnion PS : I just recognize that several places in my recent post I mistakenly wrote the ActiveX name MCWNDX.OCX instead of MCIWNDX.OCX. :-) Sorry for all the confusing. Now, I figure out that coffee and girls do destroy human mnemonic :-)
Ah, yes... Looking back on it, I see it now. That is what I get for looking at the copy of the report. MCIWNDX.OCX was mentioned once, at the first, and this was cut out of subsequent replies apparently by mistake. The issue, btw, sounds like a heap based overflow, as opposed to a stack based overflow. Generally, these issues can be exploitable, but it can tend to be very difficult to exploit them universally. I hope that Microsoft sees this. Visual Studio 6 is still used by an enormous amount of people, and I am not sure if uninstalling it will even remove the activex... And regardless, as Thor pointed out and as Guninski originally noted, these activex are signed. You will have to click "Okay" still to install them, however, though it will say, 'Approved by Microsoft'. Unfortunately, Microsoft may not see this post, and they seem to have ignored the original post you made to security@microsoft. When they do not reply, that generally means they could not find the bug, they could not duplicate it, and they do not know you. Rather rude and unprofessional. Maybe they can fix this problem. If they do not see this post, then there will be this effective zero day out there. 95% of the world uses Internet Explorer according to the latest stats. With around 400 million internet users and these being - generally - the wealthiest of the world... This is quite an open door. Now, back to my fantasies about being a hitman instead of a security researcher. ;)
----- Original Message ----- From: "Drew Copley" <dcopley () eeye com> To: <jasonc () science org>; "'Thor Larholm'" <thor () pivx com>; "'Tri Huynh'" <trihuynh () zeeup com>; <bugtraq () securityfocus com> Cc: <full-disclosure () lists netsys com> Sent: Wednesday, August 13, 2003 3:48 PM Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow-----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, August 13, 2003 12:36 PM To: Thor Larholm; Tri Huynh; bugtraq () securityfocus com Subject: RE: [Full-disclosure] Microsoft MCWNDX.OCXActiveX bufferoverflow What about pointing the OBJECT tag codebase to a known,or probable,location on the victim's own hard drive?It apparently is not on people's systems, is the point. If it is notthemultimedia control and there is such an activex, then thoris correct,and it can simply be pointed at remotely.ActiveX never implemented any type of "same originpolicy" the wayJavaScript does, so a local codebase reference should work as a technique to silently activate any Microsoft-signedActiveX control.Partly true, though I can't run files using activex on your system locally, there are various checks now in place.But I could be mistaken, this is commentary from memory not experimental result.I'd much rather spend my time conducting security audits of Linux and trying to help those companies threatened by SCO's copyright claims defend themselves in court.I would rather be home, watching television, or playing avideo game.Actually, it would be nice to be surfing now. From a purelyfantasticalviewpoint, I suppose bounty hunting would be a bit funner,or perhapsbeing a professional hitman. Now, back to complete seriousness.Jason Coombs jasonc () science org -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Thor Larholm Sent: Wednesday, August 13, 2003 8:22 AM To: Tri Huynh; bugtraq () securityfocus com Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Microsoft MCWNDX.OCXActiveX bufferoverflow The MCWNDX.OCX binary is digitally signed by Microsoft,and as suchyou can plant it on the users machine just by pointingthe codebaseattribute of your OBJECT tag to an archived copy of thefile on yourown server. This also applies to other outdated ActiveX controls, even when a newer (patched) version exists and is installed on the usersmachine youcan still re-introduce the old, buggy version since it isdigitallysigned by Microsoft. Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Microsoft MCIWNDX.OCX ActiveX buffer overflow Drew Copley (Aug 15)