----- Original Message -----
From: "Tri Huynh" <trihuynh@zeeup.com>
To: <bugtraq@securityfocus.com>
Sent: Wednesday, August 13, 2003 1:13 PM
Subject: Microsoft MCWNDX.OCX ActiveX buffer overflow


>
>
>  Microsoft MCWNDX.OCX ActiveX buffer overflow
>  =================================================
>
>  PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW
> HOMEPAGE:  www.microsoft.com
> VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with Visual Studio 6 to
> support multimedia programming.
>
>  DESCRIPTION
>  =================================================
>
>  MCWNDX is an activeX shipped with Visual Studio 6 to
> support multimedia programming. Although not many people use it anymore,
> however it still can be called through CLSID in a website and passing a
> large amount of data to the activex will cause an buffer overflow.
>
> Since this Activex is only shipped with VIsual Studio 6.0, so only
> people who are having Visual Studio 6.0 will be affected or people
> who are still using old multimedia programs coded in Visual Studio 6.0
> (In my PC, the last date the ActiveX is patched is in 1996 ! I am using
> VS Sp 4)
>
>
>  DETAILS
>  =================================================
>  The ActiveX has a property called "Filename" which is used to specify
> the .mci file to load. However if it is passed with a very large
> string(640KB
> is good enough :-) ), it will cause a bufferoverflow. (I can't overwrite
the
> EIP using this overflow in my XP, however it doesn't mean the problem
can't
> be exploited)
>
> Microsoft has been noticed but since the hole is maybe minor to them so
> they don't response to me even a short sentence like "Thank you !"
>
>
>
>  WORKAROUND
>  =================================================
>
>  Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are
> using 2000 or XP or in your SYSTEM directory if you are using WIN ME or
> below
>
>
> CREDITS
>  =================================================
>
>  Discovered by Tri Huynh from Sentry Union
>
>
>  DISLAIMER
>  =================================================
>
>  The information within this paper may change without notice. Use of
>  this information constitutes acceptance for use in an AS IS condition.
>  There are NO warranties with regard to this information. In no event
>  shall the author be liable for any damages whatsoever arising out of
>  or in connection with the use or spread of this information. Any use
>  of this information is at the user's own risk.
>
>
>  FEEDBACK
>  =================================================
>
>  Please send suggestions, updates, and comments to: trihuynh@zeeup.com
>
>