Hey Folks, Elias has asked me to forward this writeup of the Netscape SmartDownload 1.3 Buffer Overflow Vulnerability to the list. This information has been published elsewhere but this is it's first appearance to Bugtraq as it were. The format it is in that of the Commercial SecurityFocus Bugtraq Database and if you have questions as to what some of the heading are there is a legend at the end of the advisory. --------------------------------------------------------------------------- Security Alert Subject: Netscape SmartDownload 1.3 Buffer Overflow Vulnerability BUGTRAQ ID: 2615 CVE ID: CAN-2001-0262 Published: April 13, 2001 Updated: April 18, 2001 Remote: Yes Local: No Class: Boundary Condition Error Credibility: Vendor Confirmed Ease: Exploit Available Impact: 10.00 Severity: 10.00 Urgency: 9.60 Last Change: Initial analysis. --------------------------------------------------------------------------- Vulnerable Systems: Netscape SmartDownload 1.3 Non-Vulnerable Systems: Netscape SmartDownload 1.4 Summary: A buffer overflow present in a DLL used by Netscape SmartDownload is exploitable even if the software is disabled. Impact: Successfully exploiting the buffer overflow in sdph20.dll would allow an attacker to execute arbitrary code as the currently logged in user. In Windows 95/98/Me, this means privileged access to all resources on the target host. Technical Description: Netscape SmartDownload adds pause, resume and auto-restart download capabilities to common web browsers such as Netscape Navigator, Microsoft Internet Explorer and NeoPlanet. It is installed by default with SmartDownload versions of Netscape Communicator, and marketed as an add-on "download manager" for other browsers. It is available for all Win32 platforms (Windows 95/98/Me, NT/2000). All URLs visited by a user are analyzed and parsed by SmartDownload for MIME type and extension to determine if the SmartDownload dialog box should be presented, regardless of whether Smartdownload is enabled. URLs parsed include web pages viewed within the browser (including redirects), web pages within framesets and files spawned to external viewers. Images, embeds and targets of object tags are not parsed by SmartDownload. A bug in the library 'sdph20.dll' used by SmartDownload prevents it from properly parsing URLs greater than 256 characters in length. The parsing code in sdph20.dll reserves 256 characters for an URL on the stack but an unchecked lstrcpy will copy URLs of arbitrary length into that buffer, overwriting several local variables, the return address and other parts of the stack. Analysis of sdph20.dll reveals that the ESI register will always point to a location in memory with a predictable offset from the start of the URL buffer after the parser function returns. This means that shellcode [1] within the URL can be reached with a CALL ESI or JMP ESI instruction if a known location containing either of those instructions is inserted in the return address (byte 272). If the overflow is successfully exploited, shellcode will be executed by the victim with the privileges of the currently logged in user. If the victim is using Windows 95, 98 or Me, the shellcode will be run with privileged access to all system resources (local Administrator access). [1] SmartDownload places some restrictions on the characters permitted in an URL - namely, reserved URL characters such as # : ? and & are clipped or replaced. Additionally, the NULL character and some control characters (ASCII < 32) are rejected outright by some web browsers. Attack Scenarios: Attacker finds a memory location known to contain a JMP ESI or CALL ESI on the target host. Attacker creates a 1000-byte string designed to overflow the URL parser function in sdph20.dll. The attacker places the ESI jump address at byte 272 of the string, and pads the remainder with equivalent-to-NOP characters such as 0x41 (A). The attacker creates shellcode and places it toward the end of the string. Attacker contructs a malicious webpage containing a redirect to the URL or invisible frame containing the URL and lures victim to the webpage. Attacker-supplied shellcode could, for example, download and install a trojan horse or backdoor program on the victim host. Exploits: A utility is available that generates a web page that will exploit this vulnerability. The exploit is intentionally crippled. This exploit written by the SecurityFocus staff is of special interest because it is executed transparently and without crashing the browser. A user who had this type of exploit leveraged against them by surfing otherwise innocent seeming web pages would never know they had been attacked and possibly backdoored. There is a popular conception that exploits like this on the client side (in terms of buffer overflows) will crash the broswer and thereby alert the user to unusual activity. This is no longer the case. http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar .gz Mitigating Strategies: * Do not visit untrusted web sites Solutions: Netscape has released SmartDownload 1.4, which does not contain this bug. For Netscape SmartDownload 1.3: Netscape upgrade SmartDownload 1.4 http://home.netscape.com/download/smartdownload.html Credit: Submitted to vulnhelpat_private on 2 March, 2001 by Craig Davison <cdat_private>, Ryan Russell <ryanat_private> and Bruce Leidl <brl@core-sdi.com>. Also discovered independently by Frank Swiderski <fesat_private> and described in an @stake advisory which was released on 13 April, 2001. References: web page: About SmartDownload (Netscape) http://home.netscape.com/computing/download/smartdownload/ib/about.html web page: Netscape SmartDownload Overflow (@stake) http://www.atstake.com/research/advisories/2001/a041301-1.txt ChangeLog: Apr 18, 2001: Additional analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 16:47:45 PDT