[476] in Best-of-Security
BoS: [NTSEC] Alert:IE4 can execute native code by viewing remote HTML document (fwd)
daemon@ATHENA.MIT.EDU (Rafi Sadowsky)
Sun Nov 16 11:13:42 1997
Delivered-To: best-of-security-mtg@menelaus.mit.edu
Old-X-Envelope-From: rafi@tavor.openu.ac.il Wed Nov 12 10:02:19 1997
Date: Tue, 11 Nov 1997 14:55:23 +0200 (IST)
From: Rafi Sadowsky <rafi@tavor.openu.ac.il>
Cc: Israeli CERT List <CERT-L@taunivm.tau.ac.il>
Old-X-Originally-To: To: Best Of Security List <best-of-security@suburbia.net>
Old-X-Originated-From: From: Rafi Sadowsky <rafi@tavor.openu.ac.il>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
--
Rafi Sadowsky rafi@oumail.openu.ac.il
Network/System/Security VoiceMail: +972-3-646-0592 FAX: +972-3-646-5410
Mangler ( :-) | member ILAN-CERT(CERT-L@VM.TAU.AC.IL)
Open University of Israel | (PGP key -> ) http://telem.openu.ac.il/~rafi
---------- Forwarded message ----------
Date: Tue, 11 Nov 1997 11:09:38 +0200
From: "Roman Rutman (sw)" <roman@softwinter.com>
To: "'ntsecurity@iss.net'" <ntsecurity@iss.net>
Subject: [NTSEC] Alert:IE4 can execute native code by viewing remote HTML document
I removed the file 'infect.htm' because i think it is unethical to
relay
possible malicious code into other peoples email boxes.
(And who knows, i could just put in the new pentium bug also <g>)
No need to say that the first feelings i had about IE4 was right,
its inadequate and insecure, and it is certainly making things slow
down to a crawl, wonder if MS has any connection with RAM
manufacturers ?
Read and enjoy :-) and keep those 'amazing' discoveries rolling in.
Best Regards,
Roman Rutman
Sentry 2020 - NT transparent on-the-fly disk encryption
http://www.softwinter.com/sentry.html
Document: L0pht Security Advisory
URL Origin: http://l0pht.com/advisories.html
Release Date: November 1st, 1997
Application: Microsoft Internet Explorer 4.0 Suite
Severity: Viewing remote HTML content can execute arbitrary
native code
Author: dildog@l0pht.com
Operating Sys: Windows 95
------------------------------------------------------------------
-------------
========
Scenario
========
The Microsoft Internet Explorer 4.0 Suite, including all programs
supplied
with it that read and/or process HTML from either local machines,
intranet
machines, or remote internet machines are subject to a buffer
overflow in the
HTML decoding process. The buffer overflow can cause the
application to page
fault, or in the worst case, execute arbitrary precompiled native
code.
=======
Example
=======
1. Copy the supplied HTML file(s) into a location that is
accessible via the
target application.
2. Point to it. Look at it.
3. Click on the link. (or let someone click it for you)
4. Become aware of what happens to your machine.
5. Freak out and beg Microsoft to make the bad man stop.
=================
Technical Details
=================
The problem here lies in the deciphering of the URL line format
itself. The
base HTML library that is used by the Internet Explorer 4.0 Suite
and the
following programs are vulnerable:
- Outlook Express (both mail and news)
- Windows Explorer
- Internet Explorer (different than regular explorer, really)
This problem, because it stems from a programming flaw in the HTML
decoding
system, is unaffected by the Explorer "Security Zones" feature. In
other
words, if you turn on the highest security level for the zone from
where the
exploit HTML is being viewed, you are still vulnerable.
The critical problem here is a buffer overflow in the parsing of a
particular
new type of URL protocol. The "res://" type of URL is meant to
allow access
to a local resource embedded in a local DLL file. This is useful
for
archiving entire websites into a DLL and is not, in its truest
concept, a
security flaw.
For example, to read something out of the IE4.0 Tour (stored in a
DLL) try
the following URL: res://ie4tour.dll/page1-6.htm
The buffer overflow is on the actual filename specified. To crash
your
machine go ahead and try res://blahblahblah ... blahblah/ in your
Internet
Explorer window where the amount of 'blah' equals 265 characters.
The function that goes through the filename and validates it is
flawed on
Windows 95. Without checking the length, the filename is
uppercased,
concatenated with '.DLL' if it isn't there already, and in the
process,
copied into a fixed size buffer.
========
Solution
========
Currently, there is no solution available for this flaw. You can't
set any
Internet Explorer options to avoid it, and you are not protected by
any
level of zone security. Simply don't surf the web, read email or
view
net news using Internet Explorer 4.0 until Microsoft puts up a
hotfix.
============
Exploit Code
============
Here we go...
When constructing the exploit we want to try something useful.
Lets's start with appending text of your choice to
AUTOEXEC.BAT...
(note that running native code lets you do pretty much anything
you want)
Note that the location of the exploit string in the stack is very
important
and it varies from target application to target application.
Constructing the exploit string:
Figure out stack location for exploit code...
App Loc
Internet Explorer 0x0057C144
Windows Explorer 0x0088A0F4
...
Yeah, I know that those locations have null bytes in them and you
can't
put those (or lowercase letters, or CR/LF or 0x07 or anything
like that)
in the exploit string... but we'll let microsoft fix that for us.
Step thru
the process to see IE add that extra null character for you. Will
they
ever cease to amaze...
Put together what you wanna do, tack on the necessary jump
addresses and
all that. That's it.
And now, UUENCODED to preserve freshness:
******************************************************************
*******
* MAKE SURE YOU RUN THIS EXPLOIT WITH __INTERNET__ EXPLORER, _NOT_
*
* REGULAR OL' WINDOWS EXPLORER. (put it on a website and download it
or *
* click on the IE desktop icon (run iexplore.exe) and type in the
name *
* of the file into the URL line) IT WON'T WORK OTHERWISE!!!!
*
* (though it could be made to do so)
*
******************************************************************
*******
----====/ SNIP
section 1 of uuencode 5.20 of file infect.htm by R.E.M.
sum -r/size 62455/917 section (from "begin" to "end")
sum -r/size 5779/643 entire input file
/====---- SNIP
A haiku:
Microsoft IE
Is there no security?
Not if you ask me.
dildog@l0pht.com (11/1/97)
------------------------------------------------------------------
-------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://l0pht.com/advisories.html
