lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <31a4a60e-6947-06fd-7eba-d9ac77f5bd30@nwever.nl>
Date: Thu, 10 Nov 2016 11:18:03 +0100
From: Berend-Jan Wever <berendj@...ver.nl>
To: fulldisclosure@...lists.org, Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: [FD] WININET CHttpHeaderParser::ParseStatusLine out-of-bounds
 read details

Some additional information:

It was pointed out to me that I did not adequately explain that WININET
is widely used by Microsoft applications to handle HTTP requests,
*AND* probably be all third-party applications that use Windows APIs to
make HTTP requests. All these applications may be vulnerable to the
issue, though it may be hard to exploit in most (if not all).

According to Microsoft this issue affected MSIE and Edge and was fixed
through MS16-104 (MSIE) and MS16-105 (Edge). Unfortunately, the below
email failed to mention MS16-104.

I do not know why Microsoft did not mention other applications in their
bulletins, nor why they have two fixes for specific applications (their
browsers), rather than one fix for a component of the Windows Operating
System.

One wonders what would happen on a system where you have previously
uninstalled both MSIE and Edge: do neither of the fixes apply and will
your system be left vulnerable? Let me know if you found out!

Cheers,

SkyLined


On 10-11-2016 10:49, Berend-Jan Wever wrote:
> Throughout November, I plan to release details on vulnerabilities I
> found in web-browsers which I've not released before. This is the
> eight entry in that series, although this particular vulnerability does
> not just affect web-browsers, but all applications that use WININET to
> make HTTP requests.
> 
> The below information is available in more detail on my blog at
> http://blog.skylined.nl/20161110001.html. There you can find a repro
> that triggered this issue in addition to the information below.
> 
> Follow me on http://twitter.com/berendjanwever for daily browser bugs.
> 
> WININET CHttpHeaderParser::ParseStatusLine out-of-bounds read
> =============================================================
> (MS16-105, CVE-2016-3325)
> 
> Synopsis
> --------
> A specially crafted HTTP response can cause the `CHttpHeaderParser::
> ParseStatusLine` method in WININET to read data beyond the end of a
> buffer. The size of the read can be controlled through the HTTP
> response. An attacker that is able to get any application that uses
> WININET to make a request to a server under his/her control may be able
> to disclose information stored after this memory block. This includes
> Microsoft Internet Explorer.
> 
> Known affected versions, attack vectors and mitigations
> -------------------------------------------------------
> * WININET.dll
>   The issue was first discovered in pre-release Windows 10
>   fbl_release.140912-1613, which contained WININET.DLL version
>   11.00.9841.0.   This vulnerability appears to have been present in
>   all versions of Windows 10 since, up until the issue was addressed in
>   August 2016. As far as I can tell WININET is widely used by Microsoft
>   applications to handle HTTP requests. All these applications may be
>   vulnerable to the issue, though it may be hard to exploit in most (if
>   not all). No mitigations against the issue are known.
> 
> * Microsoft Internet Explorer
>   XMLHttpRequest can be used to trigger this issue - I have not tried
>   other vectors. To exploit the vulnerability, Javascript is most
>   likely required, so disabling Javascript should mitigate it.
> 
> * Microsoft Edge
>   XMLHttpRequest can be used to trigger this issue - I have not tried
>   other vectors. To exploit the vulnerability, Javascript is most
>   likely required, so disabling Javascript should mitigate it.
> 
> * Microsoft Windows Media Player
>   Opening a link to a media file on a malicious server can be used to
>   trigger the issue.
> 
> Description
> -----------
> When WININET is processing a `HTTP 100` response, it expects another
> HTTP response to follow. WININET stores all data received from the
> server into a buffer, uses a variable to store an index into this buffer
> to track where it is currently processing data, and uses another
> variable to store the length of the remaining data in the buffer.
> 
> When processing the headers of the `HTTP 100` request, the code updates
> the index correctly, but does not decrement the length variable. When
> the code processes the next request, the length variable is too large,
> which can cause the code to read beyond the end of the data received
> from the server. This may cause it to parse data stored in the buffer
> that was previously received as part of the current HTTP response, and
> can even cause it to do the same for data read beyond the end of the
> buffer. This can potentially lead to information disclosure.
> 
> The larger the `HTTP 100` response is, the more bytes the code reads
> beyond the end of the data. Here are some example responses and their
> effect:
> 
>   "HTTP 100\r\n\r\nX" (12 bytes in HTTP 100 response)
>     => read "X" and the next 11 bytes in memory as the next response.
>   "HTTP 100\r\n\r\nXXXX" (12 bytes in HTTP 100 response)
>     => read "XXXX" and the next 8 bytes in memory as the next response.
>   "HTTP 100XXX\r\n\r\nX" (15 bytes in HTTP 100 response)
>     => read "X" and the next 14 bytes in memory as the next response.
>   "HTTP 100XXX........XXX\r\n\r\nX..." (N bytes in HTTP 100 response)
>     => read "X" and the next (N-1) bytes in memory as the next response.
> 
> Exploit
> -------
> This issue is remarkably similar to [an issue in HTTP 1xx response
> handling I found in Google
> Chrome][https://code.google.com/p/chromium/issues/detail?id=299892] a
> while back. That issue allowed disclosure of information from the main
> process' memory through response headers. I attempted to leak some data
> using this vulnerability by using the following response:
> 
>   "HTTP 100XXX........XXX\r\nHTTP 200 X"
> 
> I was hoping this would cause the OOB read to save data from beyond the
> end of the `HTTP 200` reponse in the `statusText` property of the
> `XMLHttpRequest`, but I did not immediately see this happen; all I got
> was "OK" or an empty string.
> 
> Unfortunately, I did not have time to reverse the code and investigate
> further myself. All VCPs I submitted the issue to rejected it because
> they though it was not practically exploitable.
> 
> Time-line
> ---------
> * October 2014: This vulnerability was found through fuzzing.
> * October-November 2014: This vulnerability was submitted to ZDI,
>   iDefense and EIP.
> * November-December 2014: ZDI, iDefense and EIP all either reject the
>   submission because Windows 10 is in pre-release, or fail to respond.
> * August 2015: re-submitted to ZDI, iDefense and EIP, since Windows 10
>   is now in public release.
> * September-October 2015: ZDI, iDefense and EIP all either reject the
>   submission because they do not consider it practically exploitable,
>   or fail to respond.
> * June 2016: This vulnerability was reported to Microsoft with a 60-day
>   deadline to address the issue.
> * September 2016: The vulnerability was address by Microsoft in
>   MS16-105.
> * November 2016: Details of this issue are released.
> 
> Cheers,
> 
> SkyLined
> 


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ