| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030701230234.GB26377@ip212-226-112-140.kestel.pp.fi> Date: Wed, 2 Jul 2003 02:02:34 +0300 From: Jouko Pynnonen <jouko@....fi> To: bugtraq@...urityfocus.com Subject: URLMON.DLL buffer overflow - technical details OVERVIEW ======== Following are some technical details of the URLMON.DLL buffer overflow. An overall description can be found in this Bugtraq message: http://www.securityfocus.com/archive/1/319764 Microsoft released a patch to fix this issue in April (MS03-15). It can be found here: http://www.microsoft.com/technet/security/bulletin/MS03-15.asp DETAILS ======= The buffer overflow happens when a program using the vulnerable DLL (Internet Explorer, Outlook, possibly others) receives an HTTP reply which has excessively long values in both "Content-type" and "Content-encoding" fields. By exploiting this vulnerability, an attacker can run arbitrary code on a victim's computer when a malicious web page or an HTML mail message is viewed. Starting up Outlook may be enough to trigger the exploit, since the program may open a preview of the first new message on startup. No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is enough. For this reason Security Zone settings don't have effect on this flaw. For some reason an IMG tag seems to be in fact required in order to produce an exploitable buffer overflow. If the malicious HTTP reply comes with a normal HTML document, Internet Explorer hangs or just exits without any comment. If the requirements are met (both header fields containing correctly sized values, IMG tag used), the issue reduces to a trivial stack-based buffer overflow. The return address is overwritten by the "Content-encoding" value. An appropriate length for the values seems to be about 300 bytes. To reproduce the buffer overflow, these files can be used: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - #!/usr/bin/perl # # Name this file as "urlmon-bo.cgi" # $LONG="A"x300; print "Content-type: $LONG\r\n"; print "Content-encoding: $LONG\r\n"; print "\r\n"; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - <html> <body> <img src="urlmon-bo.cgi"> </body> </html> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - If you view the HTML file with Internet Explorer on a vulnerable system, the program will crash with EIP=0x41414141 (this at least happened on various test systems). The actual exploit is left as an excercise. CREDITS ======= The vulnerability was found and researched by Jouko Pynnönen <jouko@....fi>. The original report (as well as some of my other work) can be seen at my ex-employer's website: http://www.solutions.fi/index.cgi/news_2003_04_28?lang=eng An exploit for this flaw was demonstrated at Kontakti.net's "Tekninen Tietoturva" seminar in Helsinki, April 2003. Greets to: Minttu, Esa Etelävuori, Andreas Sandblad, Georgi Guninski, Solar Designer, DJ28. -- Jouko Pynnonen http://iki.fi/jouko/ jouko@....fi
Powered by blists - more mailing lists