Bugtraq mailing list archives
Re: L0pht Advisory: IE4.0
From: leif () GCI NET (Leif Sawyer)
Date: Mon, 10 Nov 1997 14:02:33 -0900
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01BCEDE1.4AA9AE70
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Running Windows NT 4.0/sp3 and I.E. 4.0 (4.71.1712.6) 128-bit =
extensions:
res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstu=
vwxyz123456abcdefghijklmnopqrstuvwxyz123456abcd/
returns:
/-
Internet Explorer cannot open the internet site ".."=20
The specified module could not be found.
\-
but
res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstu=
vwxyz123456abcdefghijklmnopqrstuvwxyz123456abcde/
and longer strings return:
/-
Internet Explorer cannot open the internet site ".."=20
The filename or extension is too long.
\-
looks like a win95 centric bug to me. Note that I didn't try the =
exploit..:-)
-----Original Message-----
From: DilDog <dildog () L0PHT COM>
To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG>
Date: Monday, November 10, 1997 12:37 PM
Subject: L0pht Advisory: IE4.0
=20
=20
Document: L0pht Security Advisory
URL Origin: http://l0pht.com/advisories.html
Release Date: November 1st, 1997
Application: Microsoft Internet Explorer 4.0 Suite
Severity: Viewing remote HTML content can execute arbitrary =
native code
Author: dildog () l0pht com
Operating Sys: Windows 95
=20
=3D=3D=3D=3D=3D=3D=3D=3D
Scenario
=3D=3D=3D=3D=3D=3D=3D=3D
=20
The Microsoft Internet Explorer 4.0 Suite, including all programs =
supplied
with it that read and/or process HTML from either local machines, =
intranet
machines, or remote internet machines are subject to a buffer =
overflow in the
HTML decoding process. The buffer overflow can cause the =
application to page
fault, or in the worst case, execute arbitrary precompiled native =
code.
=20
=3D=3D=3D=3D=3D=3D=3D
Example
=3D=3D=3D=3D=3D=3D=3D
=20
1. Copy the supplied HTML file(s) into a location that is =
accessible via the
target application.
2. Point to it. Look at it.
3. Click on the link. (or let someone click it for you)
4. Become aware of what happens to your machine.
5. Freak out and beg Microsoft to make the bad man stop.
=20
The critical problem here is a buffer overflow in the parsing of a =
particular
new type of URL protocol. The "res://" type of URL is meant to =
allow access
to a local resource embedded in a local DLL file. This is useful =
for
archiving entire websites into a DLL and is not, in its truest =
concept, a
security flaw.
=20
For example, to read something out of the IE4.0 Tour (stored in a =
DLL) try
the following URL: res://ie4tour.dll/page1-6.htm
=20
The buffer overflow is on the actual filename specified. To crash =
your
machine go ahead and try res://blahblahblah ... blahblah/ in your =
Internet
Explorer window where the amount of 'blah' equals 265 characters.
=20
The function that goes through the filename and validates it is =
flawed on
Windows 95. Without checking the length, the filename is =
uppercased,
concatenated with '.DLL' if it isn't there already, and in the =
process,
copied into a fixed size buffer.
=20
=3D=3D=3D=3D=3D=3D=3D=3D
Solution
=3D=3D=3D=3D=3D=3D=3D=3D
=20
Currently, there is no solution available for this flaw. You can't =
set any
Internet Explorer options to avoid it, and you are not protected =
by any
level of zone security. Simply don't surf the web, read email or =
view
net news using Internet Explorer 4.0 until Microsoft puts up a =
hotfix.
=20
------=_NextPart_000_0009_01BCEDE1.4AA9AE70
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.71.1712.3"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT color=3D#000000 size=3D2>Running Windows NT 4.0/sp3 and I.E. =
4.0=20
(4.71.1712.6) 128-bit extensions:</FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000=20
size=3D2>res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz=
123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcd/</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>returns:</FONT></DIV>
<DIV><FONT size=3D2>/-</FONT></DIV>
<DIV><FONT size=3D2> Internet Explorer cannot open the internet =
site=20
".." </FONT></DIV>
<DIV><FONT size=3D2> The specified module could not be =
found.</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2>\-</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>but</FONT></DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2></FONT><FONT=20
size=3D2>res://abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz=
123456abcdefghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abc=
defghijklmnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcdefghijkl=
mnopqrstuvwxyz123456abcdefghijklmnopqrstuvwxyz123456abcde/</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>and longer strings return:</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>/-</FONT></DIV>
<DIV>
<DIV><FONT size=3D2> Internet Explorer cannot open the internet =
site=20
".." </FONT></DIV>
<DIV><FONT size=3D2> The filename or extension is too =
long.</FONT></DIV>
<DIV><FONT size=3D2></FONT><FONT color=3D#000000 =
size=3D2>\-</FONT></DIV></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT color=3D#000000 size=3D2>looks like a win95 centric bug to =
me. Note=20
that I didn't try the exploit.. :-)</FONT></DIV>
<DIV> </DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 solid 2px; MARGIN-LEFT: 5px; PADDING-LEFT: =
5px">
<DIV><FONT face=3DArial size=3D2><B>-----Original =
Message-----</B><BR><B>From:=20
</B>DilDog <<A=20
href=3D"mailto:dildog () L0PHT COM">dildog () L0PHT COM</A>><BR><B>To: =
</B><A=20
href=3D"mailto:BUGTRAQ () NETSPACE ORG">BUGTRAQ () NETSPACE ORG</A> <<A =
=
href=3D"mailto:BUGTRAQ () NETSPACE ORG">BUGTRAQ () NETSPACE ORG</A>><BR><B>D=
ate:=20
</B>Monday, November 10, 1997 12:37 PM<BR><B>Subject: </B>L0pht =
Advisory:=20
IE4.0<BR><BR></DIV></FONT> =
Document: =20
L0pht Security Advisory<BR> URL Origin: <A=20
=
href=3D"http://l0pht.com/advisories.html";>http://l0pht.com/advisories.htm=
l</A><BR> =20
Release Date: November 1st, 1997<BR> =
Application: =20
Microsoft Internet Explorer 4.0 =
Suite<BR> =20
Severity: Viewing remote HTML content can execute arbitrary =
native=20
code<BR> Author: <A=20
href=3D"mailto:dildog () l0pht com">dildog () l0pht com</A><BR>Operating =
Sys: =20
Windows =
95<BR><BR>=3D=3D=3D=3D=3D=3D=3D=3D<BR>Scenario<BR>=3D=3D=3D=3D=3D=3D=3D=3D=
<BR><BR> The=20
Microsoft Internet Explorer 4.0 Suite, including all programs=20
supplied<BR> with it that read and/or process HTML from either =
local=20
machines, intranet<BR> machines, or remote internet machines =
are=20
subject to a buffer overflow in the<BR> HTML decoding process. =
The=20
buffer overflow can cause the application to page<BR> fault, =
or in the=20
worst case, execute arbitrary precompiled native=20
=
code.<BR><BR>=3D=3D=3D=3D=3D=3D=3D<BR>Example<BR>=3D=3D=3D=3D=3D=3D=3D<BR=
<BR> 1. Copy the=20
supplied HTML file(s) into a location that is accessible via=20
the<BR> target application.<BR> 2. =
Point to=20
it. Look at it.<BR> 3. Click on the link. (or let someone =
click it for=20
you)<BR> 4. Become aware of what happens to your =
machine.<BR> 5.=20
Freak out and beg Microsoft to make the bad man stop.<BR><BR> =
The=20
critical problem here is a buffer overflow in the parsing of a=20
particular<BR> new type of URL protocol. The =
"res://" type=20
of URL is meant to allow access<BR> to a local resource =
embedded in a=20
local DLL file. This is useful for<BR> archiving entire =
websites into=20
a DLL and is not, in its truest concept, a<BR> security=20
flaw.<BR><BR> For example, to read something out of the IE4.0 =
Tour=20
(stored in a DLL) try<BR> the following URL:=20
res://ie4tour.dll/page1-6.htm<BR><BR> The buffer overflow is =
on the=20
actual filename specified. To crash your<BR> machine go ahead =
and try=20
res://blahblahblah ... blahblah/ in your Internet<BR> Explorer =
window=20
where the amount of 'blah' equals 265 characters.<BR><BR> The =
function=20
that goes through the filename and validates it is flawed =
on<BR> =20
Windows 95. Without checking the length, the filename is=20
uppercased,<BR> concatenated with '.DLL' if it isn't there =
already,=20
and in the process,<BR> copied into a fixed size=20
=
buffer.<BR><BR>=3D=3D=3D=3D=3D=3D=3D=3D<BR>Solution<BR>=3D=3D=3D=3D=3D=3D=
=3D=3D<BR><BR> Currently,=20
there is no solution available for this flaw. You can't set =
any<BR> =20
Internet Explorer options to avoid it, and you are not protected by=20
any<BR> level of zone security. Simply don't surf the web, =
read email=20
or view<BR> net news using Internet Explorer 4.0 until =
Microsoft puts=20
up a hotfix.<BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0009_01BCEDE1.4AA9AE70--
Current thread:
- Re: L0pht Advisory: IE4.0 Leif Sawyer (Nov 10)