lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030702111331.GA27863@ip212-226-112-140.kestel.pp.fi>
From: jouko at iki.fi (Jouko Pynnonen)
Subject: URLMON.DLL buffer overflow - technical details


OVERVIEW
========

Following are some technical details of the URLMON.DLL buffer overflow. 
An overall description can be found in this Bugtraq message:

  http://www.securityfocus.com/archive/1/319764

Microsoft released a patch to fix this issue in April (MS03-15). It can 
be found here:

  http://www.microsoft.com/technet/security/bulletin/MS03-15.asp



DETAILS
=======

The buffer overflow happens when a program using the vulnerable DLL 
(Internet Explorer, Outlook, possibly others) receives an HTTP reply 
which has excessively long values in both "Content-type" and 
"Content-encoding" fields.

By exploiting this vulnerability, an attacker can run arbitrary code on 
a victim's computer when a malicious web page or an HTML mail message 
is viewed. Starting up Outlook may be enough to trigger the exploit, 
since the program may open a preview of the first new message on 
startup.

No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is 
enough. For this reason Security Zone settings don't have effect on 
this flaw. For some reason an IMG tag seems to be in fact required in 
order to produce an exploitable buffer overflow. If the malicious HTTP 
reply comes with a normal HTML document, Internet Explorer hangs or 
just exits without any comment.

If the requirements are met (both header fields containing correctly  
sized values, IMG tag used), the issue reduces to a trivial stack-based 
buffer overflow. The return address is overwritten by the 
"Content-encoding" value. An appropriate length for the values seems to 
be about 300 bytes.

To reproduce the buffer overflow, these files can be used:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
#!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
<html>
<body>
<img src="urlmon-bo.cgi">
</body>
</html>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -

If you view the HTML file with Internet Explorer on a vulnerable 
system, the program will crash with EIP=0x41414141 (this at least 
happened on various test systems). The actual exploit is left as an 
excercise.



CREDITS
=======

The vulnerability was found and researched by Jouko Pynn?nen 
<jouko@....fi>. The original report (as well as some of my other 
work) can be seen at my ex-employer's website:

  http://www.solutions.fi/index.cgi/news_2003_04_28?lang=eng

An exploit for this flaw was demonstrated at Kontakti.net's "Tekninen 
Tietoturva" seminar in Helsinki, April 2003.

Greets to: Minttu, Esa Etel?vuori, Andreas Sandblad, Georgi Guninski,  
Solar Designer, DJ28.



-- 
Jouko Pynnonen          http://iki.fi/jouko/
jouko@....fi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ