devilkin
05-10-2002, 02:31
Important: a flaw has been found in MSN messenger that can give someone complete control over the pc...
MSN Messenger OCX Buffer Overflow
Release Date: 05/08/2002
Severity: High (Remote code execution)
Systems Affected:
Microsoft MSN Chat Control
Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control
Description:
A vulnerability has been discovered in the parameter handling of the MSN Messenger OCX. By exploiting this vulnerability, an attacker can supply and execute code on any machine on which MSN Messenger with the activeX is installed.
The vulnerability exists because of how MSN Messenger handles data passed to it which can lead to a buffer overflow scenario. The buffer overflow can be exploited via email, web, or through any other method where Internet Explorer is used to display HTML that an attacker supplies, including software that uses the web browser ActiveX control.
All users of Internet Explorer are potentially affected because this is a Microsoft signed OCX. Users that have not installed Microsoft Messenger or that have not upgraded Microsoft Messenger can only be affected if they accept the pop-up "Install Now" signed by Microsoft. All Internet Explorer users should install the update.
Example:
<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455" height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
</object>
Technical Description:
MSNChat OCX is an ActiveX object installed with Microsoft Messenger. Proper bounds checking is not in place in the ResDLL parameter. By supplying a very large buffer, we can overwrite a significant portion of the stack, including saved return addresses and exception handlers.
Even if users do not have Messenger installed, the ActiveX can be called from the codebase tag which would prompt the user to install the ActiveX with Microsoft's credentials because the OCX is signed by Microsoft.
Vulnerability identifier: CAN-2002-0155
Vendor Status: Microsoft has released a security bulletin and patch. For more information visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.asp
[This message has been edited by devilkin (edited 09 May 2002).]
[This message has been edited by devilkin (edited 09 May 2002).]
MSN Messenger OCX Buffer Overflow
Release Date: 05/08/2002
Severity: High (Remote code execution)
Systems Affected:
Microsoft MSN Chat Control
Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN Chat control
Description:
A vulnerability has been discovered in the parameter handling of the MSN Messenger OCX. By exploiting this vulnerability, an attacker can supply and execute code on any machine on which MSN Messenger with the activeX is installed.
The vulnerability exists because of how MSN Messenger handles data passed to it which can lead to a buffer overflow scenario. The buffer overflow can be exploited via email, web, or through any other method where Internet Explorer is used to display HTML that an attacker supplies, including software that uses the web browser ActiveX control.
All users of Internet Explorer are potentially affected because this is a Microsoft signed OCX. Users that have not installed Microsoft Messenger or that have not upgraded Microsoft Messenger can only be affected if they accept the pop-up "Install Now" signed by Microsoft. All Internet Explorer users should install the update.
Example:
<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455" height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
</object>
Technical Description:
MSNChat OCX is an ActiveX object installed with Microsoft Messenger. Proper bounds checking is not in place in the ResDLL parameter. By supplying a very large buffer, we can overwrite a significant portion of the stack, including saved return addresses and exception handlers.
Even if users do not have Messenger installed, the ActiveX can be called from the codebase tag which would prompt the user to install the ActiveX with Microsoft's credentials because the OCX is signed by Microsoft.
Vulnerability identifier: CAN-2002-0155
Vendor Status: Microsoft has released a security bulletin and patch. For more information visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-022.asp
[This message has been edited by devilkin (edited 09 May 2002).]
[This message has been edited by devilkin (edited 09 May 2002).]