OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Microsoft MCWNDX.OCX ActiveX buffer overflow

From: Drew Copley (dcopleyeeye.com)
Date: Wed Aug 13 2003 - 13:44:14 CDT


I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows
locality issue. Microsoft Multimedia Control fits the description,
though, as you noted. It does have a "FileName" method and uses the .mci
filetype, but on Windows 2000 it is not a safe activex control for
scripting on webpages in the Internet Zone.

> -----Original Message-----
> From: xenophi1e [mailto:oliver.laverysympatico.ca]
> Sent: Wednesday, August 13, 2003 10:51 AM
> To: bugtraqsecurityfocus.com
> Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
>
>
> In-Reply-To: <007201c361df$c311f0c0$329f8018youru10ixi0anw>
>
>
>
> Does anyone know what the guid for this control is? I don't
> have it on XP
>
> with Visual Studio 6 installed.
>
>
>
> Could this be the same as the Microsoft Multimedia Control, aka
>
> MCI32.OCX?
>
>
>
> Cheers,
>
> ~ol
>
>
>
> > Microsoft MCWNDX.OCX ActiveX buffer overflow
>
> > =================================================
>
> >
>
> > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
>
> >HOMEPAGE: www.microsoft.com
>
> >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with
> Visual Studio 6
> >to
>
> >support multimedia programming.
>
> >
>
> > DESCRIPTION
>
> > =================================================
>
> >
>
> > MCWNDX is an activeX shipped with Visual Studio 6 to
>
> >support multimedia programming. Although not many people use it
> >anymore,
>
> >however it still can be called through CLSID in a website
> and passing a
>
> >large amount of data to the activex will cause an buffer overflow.
>
> >
>
> >Since this Activex is only shipped with VIsual Studio 6.0, so only
>
> >people who are having Visual Studio 6.0 will be affected or people
>
> >who are still using old multimedia programs coded in Visual
> Studio 6.0
>
> >(In my PC, the last date the ActiveX is patched is in 1996 !
> I am using
>
> >VS Sp 4)
>
> >
>
> >
>
> > DETAILS
>
> > =================================================
>
> > The ActiveX has a property called "Filename" which is used
> to specify
>
> >the .mci file to load. However if it is passed with a very large
>
> >string(640KB
>
> >is good enough :-) ), it will cause a bufferoverflow. (I can't
> >overwrite
>
> the
>
> >EIP using this overflow in my XP, however it doesn't mean the problem
>
> can't
>
> >be exploited)
>
> >
>
> >Microsoft has been noticed but since the hole is maybe minor
> to them so
>
> >they don't response to me even a short sentence like "Thank you !"
>
> >
>
> >
>
> >
>
> > WORKAROUND
>
> > =================================================
>
> >
>
> > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
>
> >using 2000 or XP or in your SYSTEM directory if you are
> using WIN ME or
>
> >below
>
> >
>
> >
>
> >CREDITS
>
> > =================================================
>
> >
>
> > Discovered by Tri Huynh from Sentry Union
>
> >
>
> >
>
> > DISLAIMER
>
> > =================================================
>
> >
>
> > The information within this paper may change without notice. Use of
>
> > this information constitutes acceptance for use in an AS IS
> condition.
>
> > There are NO warranties with regard to this information. In no event
>
> > shall the author be liable for any damages whatsoever arising out of
>
> > or in connection with the use or spread of this information. Any use
>
> > of this information is at the user's own risk.
>
> >
>
> >
>
> > FEEDBACK
>
> > =================================================
>
> >
>
> > Please send suggestions, updates, and comments to:
> trihuynhzeeup.com
>
> >
>
> >
>
> >
>
>