Thread-topic: [NT] Internet Explorer Compressed Content URL Heap Overflow
> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Tuesday, August 29, 2006 6:56 PM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NT] Internet Explorer Compressed Content URL Heap Overflow
>
>
>
>
> Internet Explorer Compressed Content URL Heap Overflow
>
>
>
> There is an heap overflow vulnerability discovered in
> Internet Explorer that allow an attacker to execute arbitrary
> code on the system of a victim who attempts to access a
> malicious URL.
>
>
> Vulnerable Systems:
> * Internet Explorer 6 SP1 with MS06-042 - Windows 2000
> * Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1
>
> eEye Digital Security has discovered a heap overflow
> vulnerability in the MS06-042 cumulative Internet Explorer
> update that would allow an attacker to execute arbitrary code
> on the system of a victim who attempts to access a malicious
> URL. Only Windows 2000 and Windows XP SP1 systems running
> Internet Explorer 6 SP1 with the MS06-042 patch applied are
> vulnerable.
>
> The heap overflow occurs when URLMON.DLL attempts to handle a
> long URL for which the web server's response indicated GZIP
> or deflate encoding. This means that the user interaction
> requirement for this attack is negligible, since clicking a
> hyperlink, visiting a malicious web page, or even attempting
> to view an image for which the source is a malicious URL,
> permits exploitation of the vulnerability. Furthermore, the
> attacker is not required to control a web server in order to
> serve up a specially-crafted response, since any compressed
> response -- even an error message -- is sufficient to cause
> the overflow, regardless of its content.
>
> URLMON.DLL version 6.0.2800.1565, distributed with the
> MS06-042 patch for Internet Explorer 6 SP1 on Windows 2000
> and Windows XP SP1, contains a heap buffer overflow
> vulnerability due to an incongruous use of lstrcpynA.
> CMimeFt::Create allocates a 390h-byte heap block for a new
> instance of the CMimeFt class, within which there is a 104h
> (MAX_PATH)-byte ASCII string buffer at offset +160h:
>
> 1A4268DD push 390h ; cb
> 1A4268E2 call ??2@YAPAXI@Z ; operator new(uint)
>
> When an access to a URL elicits a GZIP- or deflate-encoded
> response from the web server, CMimeFt::Start will attempt to
> copy the URL into the 104h-byte string buffer using the
> lstrcpynA API function, but it passes a maximum length
> argument of 824h (2084 decimal), a value typically used as
> the maximum length of a URL:
>
> 1A426199 push 824h ; iMaxLength
> 1A42619E push eax ; lpString2
> 1A42619F add esi, 160h
> 1A4261A5 push esi ; lpString1
> 1A4261A6 call ds:lstrcpynA
>
> As a result, fields within the CMimeFt class instance as well
> as the contents of adjacent heap blocks can be overwritten
> with attacker-supplied data from the malicious URL.
>
> URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses
> MAX_PATH both as the buffer size and as the maximum copy
> length, while URLMON.DLL in the patch for Windows XP SP2 and
> Windows 2003 uses 824h in both places.
>
> This issue was originally documented as an Internet Explorer
> crash in Microsoft Knowledge Base Article KB923762
> <> (Revision 2.0 as
> of August 21st), in response to numerous reports of conflicts
> between the MS06-042 patch and various HTTP-based software
> products, dating back to at least August 11th. eEye
> independently discovered the flaw on August 15th and
> subsequently reported it to Microsoft on the 17th.
>
> Vendor Status:
> Microsoft has released a new version of the MS06-042 patch to
> correct this vulnerability.
> The revised patch is available at:
> .
>
> Note:
> Installing the original release of the MS06-042 update causes
> a system to become vulnerable, so the version 2.0 release of
> the MS06-042 patch will need to be applied in order to secure
> that system.
>
> Systems with the hotfix described in Microsoft Knowledge Base
> Article KB923762 <>
> applied are not susceptible to this vulnerability, although
> the MS06-042 v2.0 patch should still be installed on these systems.
>
> Disclosure Timeline:
> * August 24, 2006 - Release.
> * August 17, 2006 - Reported
>
>
> Additional Information:
> The information has been provided by eEye.
> The original article can be found at:
>
>
>
