Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Mon Aug 26 2002 - 04:57:59 PDT

Next message: Matthew Murphy: "phpReactor - Cross-Site Scripting via STYLE"

Previous message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    Microsoft Internet Explorer BufferOverrun
Systems Affected:  All versions IE
Severity:  Critical
Category: Indirect Remote Buffer Overrun
Vendor URL:   http://www.mircosoft.com
Author:   Mark Litchfield (markat_private)
Date:   26th August 2002
Advisory number: #NISR26082002


Description
***********

Microsoft® ActiveX® controls, formerly known as OLE controls or OCX
controls, are components (or objects) you can insert into a Web page or
other application to reuse packaged functionality someone else programmed.
Whether you use an ActiveX control (formerly called an OLE control) or a
Java object, Microsoft Visual Basic Scripting Edition and Microsoft Internet
Explorer handle it the same way.

Details
*******

An unchecked buffer exists in the ActiveX control used to display specially
formatted text.  This could be executed by encouraging an unsuspecting user
to visit a malicious web page including the below code.

<OBJECT
   classid="clsid:99B42120-6EC7-11CF-A6C7-00AA00A47DD2"
   id=lblActiveLbl
   width=250
   height=250
   align=left
   hspace=20
   vspace=0
>
<PARAM NAME="Angle" VALUE="90">
<PARAM NAME="Alignment" VALUE="4">
<PARAM NAME="BackStyle" VALUE="0">
<PARAM NAME="Caption" VALUE="long char string">
<PARAM NAME="FontName" VALUE="NGS Software Font">
<PARAM NAME="FontSize" VALUE="50">
<PARAM NAME="FontBold" VALUE="1">
<PARAM NAME="FrColor" VALUE="0">
</OBJECT>

By supplying an overly long value for the "Caption" parameter a saved return
address stored on the stack will be overwritten allowing an attacker to gain
control of Internet Explorer's path of execution. Any arbitary code would
execute in the context of the logged on user. By sending the intended targer
a specially crafted e-mail or by enticing them to a malicious website an
attacker will be able to gain remote control of that users desktop.

Fix Information
***************

NGSSoftware alerted Microsoft to these problems on the 29th April 2002.
NGSSoftware highly recommend installing Microsoft Patch found at
http://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Matthew Murphy: "phpReactor - Cross-Site Scripting via STYLE"
Previous message: NGSSoftware Insight Security Research: "[VulnWatch] Microsoft Internet Explorer Legacy Text Control Buffer Overflow (#NISR26082002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 26 2002 - 06:55:11 PDT