COMMAND
SmartDownload
SYSTEMS AFFECTED
Netscape SmartDownload 1.3
PROBLEM
Following was submitted to vulnhelp@securityfocus.com on 2nd March
by Craig Davison, Ryan Russell and Bruce Leidl. Also it was
discovered independently by Frank Swiderski and described in an
@stake advisory which was released on 13 April, 2001.
A buffer overflow present in a DLL used by Netscape SmartDownload
is exploitable even if the software is disabled.
Successfully exploiting the buffer overflow in sdph20.dll would
allow an attacker to execute arbitrary code as the currently
logged in user. In Windows 95/98/Me, this means privileged access
to all resources on the target host.
Netscape SmartDownload adds pause, resume and auto-restart
download capabilities to common web browsers such as Netscape
Navigator, Microsoft Internet Explorer and NeoPlanet. It is
installed by default with SmartDownload versions of Netscape
Communicator, and marketed as an add-on "download manager" for
other browsers. It is available for all Win32 platforms (Windows
95/98/Me, NT/2000).
All URLs visited by a user are analyzed and parsed by
SmartDownload for MIME type and extension to determine if the
SmartDownload dialog box should be presented, regardless of
whether Smartdownload is enabled. URLs parsed include web pages
viewed within the browser (including redirects), web pages within
framesets and files spawned to external viewers. Images, embeds
and targets of object tags are not parsed by SmartDownload.
A bug in the library 'sdph20.dll' used by SmartDownload prevents
it from properly parsing URLs greater than 256 characters in
length. The parsing code in sdph20.dll reserves 256 characters
for an URL on the stack but an unchecked lstrcpy will copy URLs
of arbitrary length into that buffer, overwriting several local
variables, the return address and other parts of the stack.
Analysis of sdph20.dll reveals that the ESI register will always
point to a location in memory with a predictable offset from the
start of the URL buffer after the parser function returns. This
means that shellcode [SmartDownload places some restrictions on
the characters permitted in an URL - namely, reserved URL
characters such as # : ? and & are clipped or replaced.
Additionally, the NULL character and some control characters
(ASCII < 32) are rejected outright by some web browsers] within
the URL can be reached with a CALL ESI or JMP ESI instruction if a
known location containing either of those instructions is inserted
in the return address (byte 272).
If the overflow is successfully exploited, shellcode will be
executed by the victim with the privileges of the currently logged
in user. If the victim is using Windows 95, 98 or Me, the
shellcode will be run with privileged access to all system
resources (local Administrator access).
Attacker finds a memory location known to contain a JMP ESI or
CALL ESI on the target host. Attacker creates a 1000-byte string
designed to overflow the URL parser function in sdph20.dll. The
attacker places the ESI jump address at byte 272 of the string,
and pads the remainder with equivalent-to-NOP characters such as
0x41 (A). The attacker creates shellcode and places it toward
the end of the string.
Attacker contructs a malicious webpage containing a redirect to
the URL or invisible frame containing the URL and lures victim to
the webpage. Attacker-supplied shellcode could, for example,
download and install a trojan horse or backdoor program on the
victim host.
A utility is available that generates a web page that will exploit
this vulnerability. The exploit is intentionally crippled. This
exploit written by the SecurityFocus staff is of special interest
because it is executed transparently and without crashing the
browser. A user who had this type of exploit leveraged against
them by surfing otherwise innocent seeming web pages would never
know they had been attacked and possibly backdoored. There is a
popular conception that exploits like this on the client side (in
terms of buffer overflows) will crash the broswer and thereby
alert the user to unusual activity. This is no longer the case.
http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar.gz
SOLUTION
Netscape has released SmartDownload 1.4, which does not contain
this bug. Netscape upgrade SmartDownload 1.4:
http://home.netscape.com/download/smartdownload.html