I find no "MCWNDX.ocx" on my system nor on google. It may be a Windows locality issue. Microsoft Multimedia Control fits the description, though, as you noted. It does have a "FileName" method and uses the .mci filetype, but on Windows 2000 it is not a safe activex control for scripting on webpages in the Internet Zone. > -----Original Message----- > From: xenophi1e [mailto:oliver.lavery@sympatico.ca] > Sent: Wednesday, August 13, 2003 10:51 AM > To: bugtraq@securityfocus.com > Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow > > > In-Reply-To: <007201c361df$c311f0c0$329f8018@youru10ixi0anw> > > > > Does anyone know what the guid for this control is? I don't > have it on XP > > with Visual Studio 6 installed. > > > > Could this be the same as the Microsoft Multimedia Control, aka > > MCI32.OCX? > > > > Cheers, > > ~ol > > > > > Microsoft MCWNDX.OCX ActiveX buffer overflow > > > ================================================= > > > > > > PROGRAM: MICROSOFT MCIWNDX.OCX ACTIVEX BUFFER OVERFLOW > > >HOMEPAGE: www.microsoft.com > > >VULNERABLE VERSIONS: MCWNDX is an ActiveX shipped with > Visual Studio 6 > >to > > >support multimedia programming. > > > > > > DESCRIPTION > > > ================================================= > > > > > > MCWNDX is an activeX shipped with Visual Studio 6 to > > >support multimedia programming. Although not many people use it > >anymore, > > >however it still can be called through CLSID in a website > and passing a > > >large amount of data to the activex will cause an buffer overflow. > > > > > >Since this Activex is only shipped with VIsual Studio 6.0, so only > > >people who are having Visual Studio 6.0 will be affected or people > > >who are still using old multimedia programs coded in Visual > Studio 6.0 > > >(In my PC, the last date the ActiveX is patched is in 1996 ! > I am using > > >VS Sp 4) > > > > > > > > > DETAILS > > > ================================================= > > > The ActiveX has a property called "Filename" which is used > to specify > > >the .mci file to load. However if it is passed with a very large > > >string(640KB > > >is good enough :-) ), it will cause a bufferoverflow. (I can't > >overwrite > > the > > >EIP using this overflow in my XP, however it doesn't mean the problem > > can't > > >be exploited) > > > > > >Microsoft has been noticed but since the hole is maybe minor > to them so > > >they don't response to me even a short sentence like "Thank you !" > > > > > > > > > > > > WORKAROUND > > > ================================================= > > > > > > Delete the file MCWNDX.ocx in your SYSTEM32 directory if you are > > >using 2000 or XP or in your SYSTEM directory if you are > using WIN ME or > > >below > > > > > > > > >CREDITS > > > ================================================= > > > > > > Discovered by Tri Huynh from Sentry Union > > > > > > > > > DISLAIMER > > > ================================================= > > > > > > The information within this paper may change without notice. Use of > > > this information constitutes acceptance for use in an AS IS > condition. > > > There are NO warranties with regard to this information. In no event > > > shall the author be liable for any damages whatsoever arising out of > > > or in connection with the use or spread of this information. Any use > > > of this information is at the user's own risk. > > > > > > > > > FEEDBACK > > > ================================================= > > > > > > Please send suggestions, updates, and comments to: > trihuynh@zeeup.com > > > > > > > > > > >
