Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Internet Explorer Compressed Content URL Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Internet Explorer Compressed Content URL Heap Overflow
Date: 29 Aug 2006 16:56:06 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Internet Explorer Compressed Content URL Heap Overflow
------------------------------------------------------------------------


SUMMARY

There is an heap overflow vulnerability discovered in Internet Explorer 
that allow an attacker to execute arbitrary code on the system of a victim 
who attempts to access a malicious URL.

DETAILS

Vulnerable Systems:
 * Internet Explorer 6 SP1 with MS06-042 - Windows 2000
 * Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1

eEye Digital Security has discovered a heap overflow vulnerability in the 
MS06-042 cumulative Internet Explorer update that would allow an attacker 
to execute arbitrary code on the system of a victim who attempts to access 
a malicious URL. Only Windows 2000 and Windows XP SP1 systems running 
Internet Explorer 6 SP1 with the MS06-042 patch applied are vulnerable.

The heap overflow occurs when URLMON.DLL attempts to handle a long URL for 
which the web server's response indicated GZIP or deflate encoding. This 
means that the user interaction requirement for this attack is negligible, 
since clicking a hyperlink, visiting a malicious web page, or even 
attempting to view an image for which the source is a malicious URL, 
permits exploitation of the vulnerability.  Furthermore, the attacker is 
not required to control a web server in order to serve up a 
specially-crafted response, since any compressed response -- even an  
error message -- is sufficient to cause the overflow, regardless of its 
content.

URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch for 
Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains a 
heap buffer overflow vulnerability due to an incongruous use of lstrcpynA. 
 CMimeFt::Create allocates a 390h-byte heap block for a new instance of 
the CMimeFt class, within which there is a 104h (MAX_PATH)-byte ASCII 
string buffer at offset +160h:

    1A4268DD    push    390h            ; cb
    1A4268E2    call    ??2@YAPAXI@Z    ; operator new(uint)

When an access to a URL elicits a GZIP- or deflate-encoded response from 
the web server, CMimeFt::Start will attempt to copy the URL into the 
104h-byte string buffer using the lstrcpynA API function, but it passes a 
maximum length argument of 824h (2084 decimal), a value typically used as 
the maximum length of a URL:

    1A426199    push    824h            ; iMaxLength
    1A42619E    push    eax             ; lpString2
    1A42619F    add     esi, 160h
    1A4261A5    push    esi             ; lpString1
    1A4261A6    call    ds:lstrcpynA

As a result, fields within the CMimeFt class instance as well as the 
contents of adjacent heap blocks can be overwritten with attacker-supplied 
data from the malicious URL.

URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH 
both as the buffer size and as the maximum copy length, while URLMON.DLL 
in the patch for Windows XP SP2 and Windows 2003 uses 824h in both places.

This issue was originally documented as an Internet Explorer crash in 
Microsoft Knowledge Base Article  
<http://support.microsoft.com/?kbid=923762> KB923762 (Revision 2.0 as of 
August 21st), in response to numerous reports of conflicts between the 
MS06-042 patch and various HTTP-based software products, dating back to at 
least August 11th. eEye independently discovered the flaw on August 15th 
and subsequently reported it to Microsoft on the 17th.

Vendor Status:
Microsoft has released a new version of the MS06-042 patch to correct this 
vulnerability.
The revised patch is available at:  
<http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx> 
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx.

Note:
Installing the original release of the MS06-042 update causes a system to 
become vulnerable, so the version 2.0 release of the MS06-042 patch will 
need to be applied in order to secure that system.

Systems with the hotfix described in Microsoft Knowledge Base Article  
<http://support.microsoft.com/?kbid=923762> KB923762 applied are not 
susceptible to this vulnerability, although the MS06-042 v2.0 patch should 
still be installed on these systems.

Disclosure Timeline:
 * August 24, 2006 -  Release.
 * August 17, 2006 - Reported


ADDITIONAL INFORMATION

The information has been provided by eEye.
The original article can be found at:
 <http://research.eeye.com/html/advisories/published/AD20060824.html> 
http://research.eeye.com/html/advisories/published/AD20060824.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Internet Explorer Compressed Content URL Heap Overflow, SecuriTeam <=
Previous by Date:  [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow, SecuriTeam
Next by Date:  [UNIX] DeluxeBB SQL Injection and File Inclusion Vulnerabilities, SecuriTeam
Previous by Thread:  [NT] Microsoft Internet Explorer daxctle.ocx Heap Overflow, SecuriTeam
Next by Thread:  [UNIX] DeluxeBB SQL Injection and File Inclusion Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]