SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Instant Messaging/IRC/Chat)  >   MSN Messenger Vendors:   Microsoft
Microsoft MSN Messenger Includes an ActiveX Control That Has 'ResDLL' Parameter Buffer Overflow That Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1004250
SecurityTracker URL:  http://securitytracker.com/id/1004250
CVE Reference:   CAN-2002-0155   (Links to External Site)
Date:  May 9 2002
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.5, 4.6
Description:   A vulnerability was reported in Microsoft's MSN Chat Control software, an ActiveX control that is part of MSN Messenger and Microsoft Exchange Instant Messenger.

eEye Digital Security reported a buffer overflow in the processing of the ResDLL parameter.

A remote user can create HTML that, when displayed on the target (victim) user's Internet Explorer browser, will cause arbitrary code to be executed. Because the Chat Control is a Microsoft-signed OCX, all Internet Explorer users are potentially affected.

A demonstration exploit example is provided:

<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"
height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
</object>

A remote user can supply a large buffer for the ResDLL parameter to trigger the buffer overflow and overwrite a significant portion of the stack, including saved return addresses and exception handlers.

According to the report, users that do not have MSN Messenger installed can potentially be attacked anyway because the ActiveX control can be called using the codebase tag, which would prompt the user to install the vulnerable ActiveX control. The ActiveX control would be signed with Microsoft's credentials.

Microsoft has assigned this vulnerability a "Critical" severity rating for Client Systems.
Impact:   A remote user can cause arbitrary code to be executed on the target user's computer with the privileges of the target user.
Solution:   The vendor has released a fix. A separate alert will be issued shortly with the Microsoft advisory information. Or, the advisory can be viewed directly at:

www.microsoft.com/technet/security/bulletin/MS02-022.asp
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-022.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Microsoft MSN Messenger Includes an ActiveX Control That Has 'ResDLL' Parameter Buffer Overflow That Lets Remote Users Execute Arbitrary Code   (secnotif@microsoft.com)
The vendor has released a fix.


 Source Message Contents
Date:  Wed, 8 May 2002 16:00:07 -0700
Subject:  [VulnWatch] ADVISORY: MSN Messenger OCX Buffer Overflow


MSN Messenger OCX Buffer Overflow

Release Date:
5/8/2002

Severity:
High (Remote code execution)

Systems Affected:
Microsoft MSN Chat Control
Microsoft MSN Messenger 4.5 and 4.6, which includes the MSN Chat control
Microsoft Exchange Instant Messenger 4.5 and 4.6, which includes the MSN
Chat control

Description:
A vulnerability has been discovered in the parameter handling of the MSN
Messenger OCX. By exploiting this vulnerability, an attacker can supply and
execute code on any machine on which MSN Messenger with the activex is
installed.

The vulnerability exists because of how MSN Messenger handles data passed to
it which can lead to a buffer overflow scenario. The buffer overflow can be
exploited via email, web, or through any other method where Internet
Explorer is used to display HTML that an attacker supplies, including
software that uses the web browser ActiveX control.

All users of Internet Explorer are potentially affected because this is a
Microsoft signed OCX. Users that have not installed Microsoft Messenger or
that have not upgraded Microsoft Messenger can only be affected if they
accept the pop-up "Install Now" signed by Microsoft. All Internet Explorer
users should install the update.

Example:

<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"
height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA[27,257 bytes is where the EIP starts]">
</object>

Technical Description:

MSNChat ocx is an ActiveX object installed with Microsoft Messenger. Proper
bounds checking is not in place in the ResDLL parameter. By supplying a very
large buffer, we can overwrite a significant portion of the stack, including
saved return addresses and exception handlers.

Even if users do not have Messenger installed, the ActiveX can be called
from the codebase tag which would prompt the user to install the ActiveX
with Microsoft's credentials because the OCX is signed by Microsoft.

Vulnerability identifier: CAN-2002-0155

Vendor Status:
Microsoft has released a security bulletin and patch. For more information
visit:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-022.asp

Credit:
Discovery: Drew Copley

Greetings: Mom, Dad, and all of the little people that helped me and
believed in me - oh - and a big YO HO to the homeboyz in the h00d.

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC