The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Internet Explorer Install Engine Control Buffer Overflow
(MS04-038)
------------------------------------------------------------------------
SUMMARY
All versions of Microsoft Windows, with Microsoft Internet Explorer, come
packaged with the Microsoft Active Setup/Install Engine components. These
components are marked as safe for scripting and can be invoked by default
from any basic web-page.
The Install Engine control has been found to be vulnerable to an integer
overflow, leading to a heap based buffer overflow which could allow an
attacker to run arbitrary code on a vulnerable system through a specially
crafted web-page or through a specially crafted HTML email if scripting is
enabled.
DETAILS
When calling the SetCifFile() method provided by the Active Setup Controls
ActiveX component 'asctrls.ocx', if the first parameter (the '.cab' file
name) is a string of a length in excess of about 2kb, an integer overflow
occurs when attempting to calculate the buffer space allowed for copying
the base URL.
The vulnerable code path will only be executed if the 'BaseURL' property
has previously been set. The value stored as this property is the first
string which can be made to overflow the heap.
After the base URL is copied into the buffer, the string which we have
provided as the cab file name is concatenated onto the end of our buffer
without any length checking, making it the second string which can
overflow the heap.
The vulnerable code is located within the Install Engine Control module
('inseng.dll') which is provided with the Active Setup Controls component,
both of which can be found in the 'System32' folder in the Windows
directory.
The vulnerable code can be seen below:
MOV EBX,DWORD PTR DS:[<&KERNEL32.lstrcpynA>] ; kernel32.lstrcpynA()
...
PUSH DWORD PTR SS:[EBP+C] ; /String = Cab file name
AND BYTE PTR DS:[ESI],0 ; |
CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA()
MOV ECX,822 ; Max buffer size
SUB ECX,EAX ; Calculate remaining buffer space - integer overflow!
PUSH ECX ; /n = Unchecked value - remaining buffer space!
PUSH DWORD PTR SS:[EBP-8] ; |String2 = BaseURL property value
PUSH ESI ; |String1 = 0x822 bytes heap buffer
CALL EBX ; \lstrcpynA()
MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA()
PUSH inseng.66561C84 ; /StringToAdd = "/"
PUSH ESI ; |ConcatString = Our heap buffer
CALL EDI ; \lstrcatA()
PUSH DWORD PTR SS:[EBP+C] ; /StringToAdd = Our Cab file name
PUSH ESI ; |ConcatString = Our heap buffer
CALL EDI ; \lstrcatA()
Fix Information:
Microsoft have released an update for Microsoft Internet Explorer which is
set to address this issue. This can be downloaded from:
<http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx
ADDITIONAL INFORMATION
The information has been provided by <mailto:nisr@nextgenss.com>
NGSSoftware Insight Security Research.
The original article can be found at:
<http://www.ngssoftware.com/advisories/msinsengfull.txt>
http://www.ngssoftware.com/advisories/msinsengfull.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
