Bugtraqmailing list archives

By Date

By Thread

ADVISORY: MSN Messenger OCX Buffer Overflow

MSN Messenger OCX Buffer OverflowRelease Date:5/8/2002Severity:High (Remote code execution)Systems Affected:Microsoft MSN Chat ControlMicrosoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat controlMicrosoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSNChat controlDescription:A vulnerability has been discovered in the parameter handling of the MSNMessenger OCX. By exploiting this vulnerability, an attacker can supply andexecute code on any machine on which MSN Messenger with the activex isinstalled.The vulnerability exists because of how MSN Messenger handles data passed toit which can lead to a buffer overflow scenario. The buffer overflow can beexploited via email, web, or through any other method where InternetExplorer is used to display HTML that an attacker supplies, includingsoftware that uses the web browser ActiveX control.All users of Internet Explorer are potentially affected because this is aMicrosoft signed OCX. Users that have not installed Microsoft Messenger orthat have not upgraded Microsoft Messenger can only be affected if theyaccept the pop-up "Install Now" signed by Microsoft. All Internet Explorerusers should install the update.Example:<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"height="523"><param name="_cx" value="12039"><param name="_cy" value="13838"><param name="BackColor" value="50331647"><param name="ForeColor" value="43594547"><param name="RedirectURL" value=""><param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]"></object>Technical Description:MSNChat ocx is an ActiveX object installed with Microsoft Messenger. Properbounds checking is not in place in the ResDLL parameter. By supplying a verylarge buffer, we can overwrite a significant portion of the stack, includingsaved return addresses and exception handlers.Even if users do not have Messenger installed, the ActiveX can be calledfrom the codebase tag which would prompt the user to install the ActiveXwith Microsoft's credentials because the OCX is signed by Microsoft.Vulnerability identifier: CAN-2002-0155Vendor Status:Microsoft has released a security bulletin and patch. For more informationvisit:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.aspCredit:Discovery: Drew CopleyGreetings: Mom, Dad, and all of the little people that helped me andbelieved in me - oh - and a big YO HO to the homeboyz in the h00d.Copyright (c) 1998-2002 eEye Digital SecurityPermission is hereby granted for the redistribution of this alertelectronically. It is not to be edited in any way without express consent ofeEye. If you wish to reprint the whole or any part of this alert in anyother medium excluding electronic medium, please e-mail alert () eEye com forpermission.DisclaimerThe information within this paper may change without notice. Use of thisinformation constitutes acceptance for use in an AS IS condition. There areNO warranties with regard to this information. In no event shall the authorbe liable for any damages whatsoever arising out of or in connection withthe use or spread of this information. Any use of this information is at theuser's own risk.FeedbackPlease send suggestions, updates, and comments to:eEye Digital Securityhttp://www.eEye.cominfo () eEye com

By Date

By Thread

Current thread:

• ADVISORY: MSN Messenger OCX Buffer OverflowMarc Maiffret (May 08)