Internet Explorer Compressed Content URL Heap Overflow Vulnerability
Release Date:
August 24, 2006
Date Reported:
August 17, 2006
Severity:
High (Code Execution)
Systems Affected:
Internet Explorer 6 SP1 with MS06-042 - Windows 2000
Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
the MS06-042 cumulative Internet Explorer update that would allow an
attacker to execute arbitrary code on the system of a victim who
attempts to access a malicious URL. Only Windows 2000 and Windows XP SP1
systems running Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable.
The heap overflow occurs when URLMON.DLL attempts to handle a long URL
for which the web server's response indicated GZIP or deflate encoding.
This means that the user interaction requirement for this attack is
negligible, since clicking a hyperlink, visiting a malicious web page,
or even attempting to view an image for which the source is a malicious
URL, permits exploitation of the vulnerability. Furthermore, the
attacker is not required to control a web server in order to serve up a
specially-crafted response, since any compressed response -- even an
error message -- is sufficient to cause the overflow, regardless of its
content.
Technical Details:
URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch
for Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains
a heap buffer overflow vulnerability due to an incongruous use of
lstrcpynA. CMimeFt::Create allocates a 390h-byte heap block for a new
instance of the CMimeFt class, within which there is a 104h
(MAX_PATH)-byte ASCII string buffer at offset +160h:
1A4268DD push 390h ; cb
1A4268E2 call ??2@YAPAXI@Z ; operator new(uint)
When an access to a URL elicits a GZIP- or deflate-encoded response from
the web server, CMimeFt::Start will attempt to copy the URL into the
104h-byte string buffer using the lstrcpynA API function, but it passes
a maximum length argument of 824h (2084 decimal), a value typically used
as the maximum length of a URL:
1A426199 push 824h ; iMaxLength
1A42619E push eax ; lpString2
1A42619F add esi, 160h
1A4261A5 push esi ; lpString1
1A4261A6 call ds:lstrcpynA
As a result, fields within the CMimeFt class instance as well as the
contents of adjacent heap blocks can be overwritten with
attacker-supplied data from the malicious URL.
URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH
both as the buffer size and as the maximum copy length, while URLMON.DLL
in the patch for Windows XP SP2 and Windows 2003 uses 824h in both
places.
This issue was originally documented as an Internet Explorer crash in
Microsoft Knowledge Base Article KB923762
(http://support.microsoft.com/?kbid=923762; Revision 2.0 as of August
21st), in response to numerous reports of conflicts between the MS06-042
patch and various HTTP-based software products, dating back to at least
August 11th. eEye independently discovered the flaw on August 15th and
subsequently reported it to Microsoft on the 17th.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.
Vendor Status:
Microsoft has released a new version of the MS06-042 patch to correct
this vulnerability. The revised patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx.
Note that installing the original release of the MS06-042 update causes
a system to become vulnerable, so the version 2.0 release of the
MS06-042 patch will need to be applied in order to secure that system.
Systems with the hotfix described in Microsoft Knowledge Base Article
KB923762 (http://support.microsoft.com/?kbid=923762) applied are not
susceptible to this vulnerability, although the MS06-042 v2.0 patch
should still be installed on these systems.
Credit:
Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Greetings:
Unexpected exits.
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@xxxxxxxx for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
<<winmail.dat>>