Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: win5339.htm

MSN Messenger OCX Buffer Overflow
10th May 2002 [SBWID-5339]

	MSN Messenger OCX Buffer Overflow


	 Microsoft MSN Chat Control

	 Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control

	 Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN

	 Chat control



	MSN Messenger OCX Buffer Overflow

	Release Date: 5/8/2002

	Severity: High (Remote code execution)

	Systems Affected: Microsoft MSN Chat  Control  Microsoft  MSN  Messenger
	4.5 and 4.6, which includes the  MSN  Chat  control  Microsoft  Exchange
	Instant Messenger 4.5 and 4.6, which includes the MSN Chat control

	Description: A  vulnerability  has  been  discovered  in  the  parameter
	handling of the MSN Messenger OCX. By exploiting this vulnerability,  an
	attacker can supply and  execute  code  on  any  machine  on  which  MSN
	Messenger with the activex is installed.

	The vulnerability exists because  of  how  MSN  Messenger  handles  data
	passed to it which can lead to a buffer overflow  scenario.  The  buffer
	overflow can be exploited via email, web, or through  any  other  method
	where Internet Explorer  is  used  to  display  HTML  that  an  attacker
	supplies, including software that uses the web browser ActiveX control.

	All users of Internet Explorer are potentially affected because this  is
	a  Microsoft  signed  OCX.  Users  that  have  not  installed  Microsoft
	Messenger or that have not upgraded  Microsoft  Messenger  can  only  be
	affected if they accept the pop-up \"Install Now\" signed by  Microsoft.
	All Internet Explorer users should install the update.


	<object classid=\"clsid:9088E688-063A-4806-A3DB-6522712FC061\" width=\"455\"


	<param name=\"_cx\" value=\"12039\">

	<param name=\"_cy\" value=\"13838\">

	<param name=\"BackColor\" value=\"50331647\">

	<param name=\"ForeColor\" value=\"43594547\">

	<param name=\"RedirectURL\" value=\"\">

	<param name=\"ResDLL\" value=\"AAAAAAA[27,257 bytes is where the EIP starts]\">



	Technical Description:

	MSNChat ocx is an ActiveX object  installed  with  Microsoft  Messenger.
	Proper bounds checking is not in  place  in  the  ResDLL  parameter.  By
	supplying a very large buffer, we can overwrite  a  significant  portion
	of the stack, including saved return addresses and exception handlers.

	Even if users do not  have  Messenger  installed,  the  ActiveX  can  be
	called from the codebase tag which would prompt the user to install  the
	ActiveX with Microsoft\'s credentials  because  the  OCX  is  signed  by

	Vulnerability identifier: CAN-2002-0155


	Vendor Status:

	Microsoft  has  released  a  security  bulletin  and  patch.  For   more
	information visit:






	Discovery: Drew Copley


	Greetings: Mom, Dad, and all of the little people that helped me and

	believed in me - oh - and a big YO HO to the homeboyz in the h00d.


	Copyright (c) 1998-2002 eEye Digital Security

	Permission is hereby granted for the redistribution of this alert

	electronically. It is not to be edited in any way without express consent of

	eEye. If you wish to reprint the whole or any part of this alert in any

	other medium excluding electronic medium, please e-mail for




	The information within this paper may change without notice. Use of this

	information constitutes acceptance for use in an AS IS condition. There are

	NO warranties with regard to this information. In no event shall the author

	be liable for any damages whatsoever arising out of or in connection with

	the use or spread of this information. Any use of this information is at the

	user\'s own risk.



	Please send suggestions, updates, and comments to:


	eEye Digital Security


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH