URLMON.DLL buffer overflow - technical details

From: Jouko Pynnonen (joukoat_private)
Date: Tue Jul 01 2003 - 16:02:34 PDT

Next message: Ed3f: "OpenBSD PF :: "rdr" information leakage"

Previous message: FraMe: "Greymatter v1.21d: Remote PHP command injection/execution."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OVERVIEW
========

Following are some technical details of the URLMON.DLL buffer overflow. 
An overall description can be found in this Bugtraq message:

  http://www.securityfocus.com/archive/1/319764

Microsoft released a patch to fix this issue in April (MS03-15). It can 
be found here:

  http://www.microsoft.com/technet/security/bulletin/MS03-15.asp



DETAILS
=======

The buffer overflow happens when a program using the vulnerable DLL 
(Internet Explorer, Outlook, possibly others) receives an HTTP reply 
which has excessively long values in both "Content-type" and 
"Content-encoding" fields.

By exploiting this vulnerability, an attacker can run arbitrary code on 
a victim's computer when a malicious web page or an HTML mail message 
is viewed. Starting up Outlook may be enough to trigger the exploit, 
since the program may open a preview of the first new message on 
startup.

No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is 
enough. For this reason Security Zone settings don't have effect on 
this flaw. For some reason an IMG tag seems to be in fact required in 
order to produce an exploitable buffer overflow. If the malicious HTTP 
reply comes with a normal HTML document, Internet Explorer hangs or 
just exits without any comment.

If the requirements are met (both header fields containing correctly  
sized values, IMG tag used), the issue reduces to a trivial stack-based 
buffer overflow. The return address is overwritten by the 
"Content-encoding" value. An appropriate length for the values seems to 
be about 300 bytes.

To reproduce the buffer overflow, these files can be used:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
#!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
<html>
<body>
<img src="urlmon-bo.cgi">
</body>
</html>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -

If you view the HTML file with Internet Explorer on a vulnerable 
system, the program will crash with EIP=0x41414141 (this at least 
happened on various test systems). The actual exploit is left as an 
excercise.



CREDITS
=======

The vulnerability was found and researched by Jouko Pynnönen 
<joukoat_private>. The original report (as well as some of my other 
work) can be seen at my ex-employer's website:

  http://www.solutions.fi/index.cgi/news_2003_04_28?lang=eng

An exploit for this flaw was demonstrated at Kontakti.net's "Tekninen 
Tietoturva" seminar in Helsinki, April 2003.

Greets to: Minttu, Esa Etelävuori, Andreas Sandblad, Georgi Guninski,  
Solar Designer, DJ28.



-- 
Jouko Pynnonen          http://iki.fi/jouko/
joukoat_private

Next message: Ed3f: "OpenBSD PF :: "rdr" information leakage"
Previous message: FraMe: "Greymatter v1.21d: Remote PHP command injection/execution."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 15:20:33 PDT