Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: Microsoft MCWNDX.OCX ActiveX buffer overflow
From: "Drew Copley" <dcopley () eeye com>
Date: Wed, 13 Aug 2003 11:44:14 -0700


I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows
locality issue. Microsoft Multimedia Control fits the description,
though, as you noted. It does have a "FileName" method and uses the .mci
filetype, but on Windows 2000 it is not a safe activex control for
scripting on webpages in the Internet Zone.


-----Original Message-----
From: xenophi1e [mailto:oliver.lavery () sympatico ca] 
Sent: Wednesday, August 13, 2003 10:51 AM
To: bugtraq () securityfocus com
Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow


In-Reply-To: <007201c361df$c311f0c0$329f8018 () youru10ixi0anw>



Does anyone know what the guid for this control is? I don't 
have it on XP 

with Visual Studio 6 installed. 



Could this be the same as the Microsoft Multimedia Control, aka 

MCI32.OCX? 



Cheers,

~ol



Microsoft MCWNDX.OCX ActiveX buffer overflow

=================================================



PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW

HOMEPAGE:  www.microsoft.com

VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with 
Visual Studio 6 
to

support multimedia programming.



DESCRIPTION

=================================================



MCWNDX is an activeX shipped with Visual Studio 6 to

support multimedia programming. Although not many people use it 
anymore,

however it still can be called through CLSID in a website 
and passing a

large amount of data to the activex will cause an buffer overflow.



Since this Activex is only shipped with VIsual Studio 6.0, so only

people who are having Visual Studio 6.0 will be affected or people

who are still using old multimedia programs coded in Visual 
Studio 6.0

(In my PC, the last date the ActiveX is patched is in 1996 ! 
I am using

VS Sp 4)





DETAILS

=================================================

The ActiveX has a property called "Filename" which is used 
to specify

the .mci file to load. However if it is passed with a very large

string(640KB

is good enough :-) ), it will cause a bufferoverflow. (I can't 
overwrite

the

EIP using this overflow in my XP, however it doesn't mean the problem

can't

be exploited)



Microsoft has been noticed but since the hole is maybe minor 
to them so

they don't response to me even a short sentence like "Thank you !"







WORKAROUND

=================================================



Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are

using 2000 or XP or in your SYSTEM directory if you are 
using WIN ME or

below





CREDITS

=================================================



Discovered by Tri Huynh from Sentry Union





DISLAIMER

=================================================



The information within this paper may change without notice. Use of

this information constitutes acceptance for use in an AS IS 
condition.

There are NO warranties with regard to this information. In no event

shall the author be liable for any damages whatsoever arising out of

or in connection with the use or spread of this information. Any use

of this information is at the user's own risk.





FEEDBACK

=================================================



Please send suggestions, updates, and comments to: 
trihuynh () zeeup com










  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]