Internet Explorer Compressed Content URL Heap Overflow Vulnerability Release Date: August 24, 2006 Date Reported: August 17, 2006 Severity: High (Code Execution) Systems Affected: Internet Explorer 6 SP1 with MS06-042 - Windows 2000 Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1 Overview: eEye Digital Security has discovered a heap overflow vulnerability in the MS06-042 cumulative Internet Explorer update that would allow an attacker to execute arbitrary code on the system of a victim who attempts to access a malicious URL. Only Windows 2000 and Windows XP SP1 systems running Internet Explorer 6 SP1 with the MS06-042 patch applied are vulnerable. The heap overflow occurs when URLMON.DLL attempts to handle a long URL for which the web server's response indicated GZIP or deflate encoding. This means that the user interaction requirement for this attack is negligible, since clicking a hyperlink, visiting a malicious web page, or even attempting to view an image for which the source is a malicious URL, permits exploitation of the vulnerability. Furthermore, the attacker is not required to control a web server in order to serve up a specially-crafted response, since any compressed response -- even an error message -- is sufficient to cause the overflow, regardless of its content. Technical Details: URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch for Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains a heap buffer overflow vulnerability due to an incongruous use of lstrcpynA. CMimeFt::Create allocates a 390h-byte heap block for a new instance of the CMimeFt class, within which there is a 104h (MAX_PATH)-byte ASCII string buffer at offset +160h: 1A4268DD push 390h ; cb 1A4268E2 call ??2@YAPAXI@Z ; operator new(uint) When an access to a URL elicits a GZIP- or deflate-encoded response from the web server, CMimeFt::Start will attempt to copy the URL into the 104h-byte string buffer using the lstrcpynA API function, but it passes a maximum length argument of 824h (2084 decimal), a value typically used as the maximum length of a URL: 1A426199 push 824h ; iMaxLength 1A42619E push eax ; lpString2 1A42619F add esi, 160h 1A4261A5 push esi ; lpString1 1A4261A6 call ds:lstrcpynA As a result, fields within the CMimeFt class instance as well as the contents of adjacent heap blocks can be overwritten with attacker-supplied data from the malicious URL. URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH both as the buffer size and as the maximum copy length, while URLMON.DLL in the patch for Windows XP SP2 and Windows 2003 uses 824h in both places. This issue was originally documented as an Internet Explorer crash in Microsoft Knowledge Base Article KB923762 (http://support.microsoft.com/?kbid=923762; Revision 2.0 as of August 21st), in response to numerous reports of conflicts between the MS06-042 patch and various HTTP-based software products, dating back to at least August 11th. eEye independently discovered the flaw on August 15th and subsequently reported it to Microsoft on the 17th. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability. Vendor Status: Microsoft has released a new version of the MS06-042 patch to correct this vulnerability. The revised patch is available at: http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx. Note that installing the original release of the MS06-042 update causes a system to become vulnerable, so the version 2.0 release of the MS06-042 patch will need to be applied in order to secure that system. Systems with the hotfix described in Microsoft Knowledge Base Article KB923762 (http://support.microsoft.com/?kbid=923762) applied are not susceptible to this vulnerability, although the MS06-042 v2.0 patch should still be installed on these systems. Credit: Derek Soeder Related Links: Retina Network Security Scanner - Free Trial Blink Endpoint Vulnerability Prevention - Free Trial Greetings: Unexpected exits. Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@xxxxxxxx for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
<<winmail.dat>>