COMMAND

    SmartDownload

SYSTEMS AFFECTED

    Netscape SmartDownload 1.3

PROBLEM

    Following was submitted to vulnhelp@securityfocus.com on 2nd March
    by  Craig  Davison,  Ryan  Russell  and  Bruce Leidl.  Also it was
    discovered independently  by Frank  Swiderski and  described in an
    @stake advisory which was released on 13 April, 2001.

    A buffer overflow present in a DLL used by Netscape  SmartDownload
    is exploitable even if the software is disabled.

    Successfully exploiting  the buffer  overflow in  sdph20.dll would
    allow  an  attacker  to  execute  arbitrary  code as the currently
    logged in user.  In Windows 95/98/Me, this means privileged access
    to all resources  on the target host.

    Netscape  SmartDownload  adds   pause,  resume  and   auto-restart
    download  capabilities  to  common  web  browsers such as Netscape
    Navigator,  Microsoft  Internet  Explorer  and  NeoPlanet.   It is
    installed  by  default  with  SmartDownload  versions  of Netscape
    Communicator, and  marketed as  an add-on  "download manager"  for
    other browsers.  It is available  for all Win32 platforms (Windows
    95/98/Me, NT/2000).

    All  URLs  visited   by  a  user   are  analyzed  and   parsed  by
    SmartDownload  for  MIME  type  and  extension to determine if the
    SmartDownload  dialog  box  should  be  presented,  regardless  of
    whether Smartdownload is enabled.   URLs parsed include web  pages
    viewed within  the browser (including redirects), web pages within
    framesets and files spawned  to external viewers.   Images, embeds
    and targets of object tags are not parsed by SmartDownload.

    A bug in the  library 'sdph20.dll' used by  SmartDownload prevents
    it  from  properly  parsing  URLs  greater  than 256 characters in
    length.  The  parsing code in  sdph20.dll reserves 256  characters
    for an URL on  the stack but an  unchecked lstrcpy will copy  URLs
    of arbitrary  length into  that buffer,  overwriting several local
    variables, the return address and other parts of the stack.

    Analysis of sdph20.dll reveals  that the ESI register  will always
    point to a location in  memory with a predictable offset  from the
    start of the URL buffer  after the parser function returns.   This
    means that  shellcode [SmartDownload  places some  restrictions on
    the  characters  permitted  in  an  URL  -  namely,  reserved  URL
    characters  such  as  #  :  ?  and  &  are  clipped  or  replaced.
    Additionally,  the  NULL  character  and  some  control characters
    (ASCII < 32)  are rejected outright  by some web  browsers] within
    the URL can be reached with a CALL ESI or JMP ESI instruction if a
    known location containing either of those instructions is inserted
    in the return address (byte 272).

    If  the  overflow  is  successfully  exploited,  shellcode will be
    executed by the victim with the privileges of the currently logged
    in  user.   If  the  victim  is  using  Windows  95, 98 or Me, the
    shellcode  will  be  run  with  privileged  access  to  all system
    resources (local Administrator access).

    Attacker finds  a memory  location known  to contain  a JMP ESI or
    CALL ESI on the target host.  Attacker creates a 1000-byte  string
    designed to overflow the URL  parser function in sdph20.dll.   The
    attacker places the  ESI jump address  at byte 272  of the string,
    and pads the remainder  with equivalent-to-NOP characters such  as
    0x41 (A).   The attacker  creates shellcode  and places  it toward
    the end of the string.

    Attacker contructs  a malicious  webpage containing  a redirect to
    the URL or invisible frame containing the URL and lures victim  to
    the  webpage.   Attacker-supplied  shellcode  could,  for example,
    download and  install a  trojan horse  or backdoor  program on the
    victim host.

    A utility is available that generates a web page that will exploit
    this vulnerability.  The exploit is intentionally crippled.   This
    exploit written by the SecurityFocus staff is of special  interest
    because  it  is  executed  transparently  and without crashing the
    browser.  A  user who had  this type of  exploit leveraged against
    them by surfing otherwise  innocent seeming web pages  would never
    know they had been attacked  and possibly backdoored.  There  is a
    popular conception that exploits like this on the client side  (in
    terms  of  buffer  overflows)  will  crash the broswer and thereby
    alert the user to unusual activity.  This is no longer the case.

        http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar.gz

SOLUTION

    Netscape has  released SmartDownload  1.4, which  does not contain
    this bug.  Netscape upgrade SmartDownload 1.4:

        http://home.netscape.com/download/smartdownload.html