RE: [Full-Disclosure] Microsoft MCIWNDX.OCX ActiveX buffer overflow

From: Drew Copley (dcopley_at_eeye.com)
Date: 08/15/03

  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"
    To: <full-disclosure@lists.netsys.com>, <trihuynh@zeeup.com>
    Date: Fri, 15 Aug 2003 11:27:41 -0700
    
    

    > -----Original Message-----
    > From: Tri Huynh trihuynh@zeeup.com
    > Subject: [Full-Disclosure] Microsoft MCIWNDX.OCX ActiveX
    > buffer overflow
    >
    >
    > Hi, List
    >
    > I'm very happy with all the supportive feedbacks. The
    > MCIWNDX.OCX is originally shipped with Visual Studio 5.0 (or
    > VB 5.0) and it is a Microsoft-signed ActiveX
    > (http://support.microsoft.com/default.aspx?scid=http://support
    > .microsoft
    > .com
    > :80/support/kb/articles/Q173/3/52.asp&NoWebContent=1)
    > However, while most of the ActiveXs in Visual Studio 5.0 are
    > updated and patched in VS 6.0, MCIWNDX.OCX is not patched,
    > and a new version of the ActiveX called MCI32.ocx is
    > introduced. Unfortunately, MCIWNDX.OCX is still shipped with
    > Visual Studio 6.0 CD and it is placed in
    > "\Common\Tools\Vb\Unsupprt\Mciwindx" folder of the Visual
    > Studio 6.0 Enterprise Edition Disk 3; and the ActiveX is also
    > installed by default in the Enterprise Edition. Since it is
    > installed by default and registered with a CLSID, it is a
    > timing bomb and should be removed.
    >
    > As most of us already notice, an unsecure local ActiveX can
    > be exploited by making a website that tries to inject
    > shellcode to take control of the client machine. Although the
    > ActiveX is patched locally, the hacker can still use the
    > CODEBASE/CLSID properties to instruct the browser to download
    > a Vulnerable Microsoft-signed ActiveX and exploit it.
    >
    > I haven't seen any widespread of ActiveX attacks conducted by
    > hackers yet, but however, since the way IE handling ActiveX
    > in default is unsecure, we will probably see many hacking
    > attemps using this weakness.
    >
    > Regards,
    >
    > Tri Huynh
    > SentryUnion
    >
    >
    > PS : I just recognize that several places in my recent post I
    > mistakenly wrote the ActiveX name MCWNDX.OCX instead of
    > MCIWNDX.OCX. :-) Sorry for all the confusing. Now, I figure
    > out that coffee and girls do destroy human mnemonic :-)

    Ah, yes... Looking back on it, I see it now. That is what I get for
    looking at the copy of the report. MCIWNDX.OCX was mentioned once, at
    the first, and this was cut out of subsequent replies apparently by
    mistake.

    The issue, btw, sounds like a heap based overflow, as opposed to a stack
    based overflow. Generally, these issues can be exploitable, but it can
    tend to be very difficult to exploit them universally.

    I hope that Microsoft sees this. Visual Studio 6 is still used by an
    enormous amount of people, and I am not sure if uninstalling it will
    even remove the activex... And regardless, as Thor pointed out and as
    Guninski originally noted, these activex are signed. You will have to
    click "Okay" still to install them, however, though it will say,
    'Approved by Microsoft'.

    Unfortunately, Microsoft may not see this post, and they seem to have
    ignored the original post you made to security@microsoft. When they do
    not reply, that generally means they could not find the bug, they could
    not duplicate it, and they do not know you. Rather rude and
    unprofessional. Maybe they can fix this problem.

    If they do not see this post, then there will be this effective zero day
    out there. 95% of the world uses Internet Explorer according to the
    latest stats. With around 400 million internet users and these being -
    generally - the wealthiest of the world... This is quite an open door.

    Now, back to my fantasies about being a hitman instead of a security
    researcher. ;)

    >
    >
    >
    >
    >
    >
    > ----- Original Message -----
    > From: "Drew Copley" <dcopley@eeye.com>
    > To: <jasonc@science.org>; "'Thor Larholm'" <thor@pivx.com>;
    > "'Tri Huynh'" <trihuynh@zeeup.com>; <bugtraq@securityfocus.com>
    > Cc: <full-disclosure@lists.netsys.com>
    > Sent: Wednesday, August 13, 2003 3:48 PM
    > Subject: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX
    > buffer overflow
    >
    >
    > >
    > >
    > > > -----Original Message-----
    > > > From: Jason Coombs [mailto:jasonc@science.org]
    > > > Sent: Wednesday, August 13, 2003 12:36 PM
    > > > To: Thor Larholm; Tri Huynh; bugtraq@securityfocus.com
    > > > Subject: RE: [Full-Disclosure] Microsoft MCWNDX.OCX
    > ActiveX buffer
    > > > overflow
    > > >
    > > >
    > > > What about pointing the OBJECT tag codebase to a known,
    > or probable,
    > > > location on the victim's own hard drive?
    > >
    > > It apparently is not on people's systems, is the point. If it is not
    > the
    > > multimedia control and there is such an activex, then thor
    > is correct,
    > > and it can simply be pointed at remotely.
    > >
    > > >
    > > > ActiveX never implemented any type of "same origin
    > policy" the way
    > > > JavaScript does, so a local codebase reference should work as a
    > > > technique to silently activate any Microsoft-signed
    > ActiveX control.
    > >
    > > Partly true, though I can't run files using activex on your system
    > > locally, there are various checks now in place.
    > >
    > > >
    > > > But I could be mistaken, this is commentary from memory not
    > > > experimental result.
    > > >
    > >
    > >
    > >
    > > > I'd much rather spend my time conducting security audits of Linux
    > > > and trying to help those companies threatened by SCO's copyright
    > > > claims defend themselves in court.
    > > >
    > >
    > > I would rather be home, watching television, or playing a
    > video game.
    > > Actually, it would be nice to be surfing now. From a purely
    > fantastical
    > > viewpoint, I suppose bounty hunting would be a bit funner,
    > or perhaps
    > > being a professional hitman.
    > >
    > > Now, back to complete seriousness.
    > >
    > > > Jason Coombs
    > > > jasonc@science.org
    > > >
    > > > -----Original Message-----
    > > > From: full-disclosure-admin@lists.netsys.com
    > > > [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Thor
    > > > Larholm
    > > > Sent: Wednesday, August 13, 2003 8:22 AM
    > > > To: Tri Huynh; bugtraq@securityfocus.com
    > > > Cc: full-disclosure@lists.netsys.com
    > > > Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX
    > ActiveX buffer
    > > > overflow
    > > >
    > > >
    > > > The MCWNDX.OCX binary is digitally signed by Microsoft,
    > and as such
    > > > you can plant it on the users machine just by pointing
    > the codebase
    > > > attribute of your OBJECT tag to an archived copy of the
    > file on your
    > > > own server.
    > > >
    > > > This also applies to other outdated ActiveX controls, even when a
    > > > newer
    > > > (patched) version exists and is installed on the users
    > machine you
    > > > can still re-introduce the old, buggy version since it is
    > digitally
    > > > signed by Microsoft.
    > > >
    > > >
    > > > Regards
    > > > Thor Larholm
    > > > PivX Solutions, LLC - Senior Security Researcher
    > > >
    > > >
    > > >
    > >
    > > _______________________________________________
    > > Full-Disclosure - We believe in it.
    > > Charter: http://lists.netsys.com/full-disclosure-charter.html
    > >
    > >
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Schmehl, Paul L: "RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1"

    Relevant Pages

    • [Full-disclosure] [CVE-2013-6040] MW6 Technologies ActiveX buffer overflows and remote c
      ... I discovered that their ActiveX controls have multiple buffer ... The Data parameter is subject to a buffer overflow DEFINITELY ... In the PoC you see that Internet Explorer crashes ... Exploitability Classification: EXPLOITABLE ...
      (Full-Disclosure)
    • dH & SECURITY.NNOV: buffer overflow in mshtml.dll
      ... SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories ... mshtml.dll contains buffer overflow while parsing HTML with embedded ... ActiveX components. ... only be exploited if "Run ActiveX Controls and Plugins" security option ...
      (Bugtraq)
    • [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
      ... MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW ... MCWNDX is an ActiveX shipped with Visual Studio 6 to ... support multimedia programming. ...
      (Full-Disclosure)
    • Microsoft MCWNDX.OCX ActiveX buffer overflow
      ... MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW ... MCWNDX is an ActiveX shipped with Visual Studio 6 to ... support multimedia programming. ...
      (Bugtraq)
    • RE: ActiveX problem
      ... Microsoft have issued a Cumulative Security update for Internet Explorer ... On checking Windows Update installation history I can ... ActiveX controls are dealt with. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)