Re: .MHT Buffer Overflow in Internet Explorer

[Jouko Pynnonen <jouko () solutions fi>]

On 10 Mar 2003, Tom Tanaka wrote:

> CANON SYSTEM SOLUTIONS INC. Security Alert
>
> VULNERABILITY:.MHT Buffer Overflow in Internet Explorer
>
> DATE FOUND:March 2, 2003
>
> Severity:High Risk(code can be executed remotely) 


[snip]


> The following error will occur when the above file is browsed by IE5.
>
> Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.
>
>
>
> By debugging through the crash dump, the exception error is generated at 
> the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to 
> Kernel32.
>
> Register
> EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 
> ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC 
> EBP = 0607B2FC EFL = 00000246


[snip]


> 74cf497b 8b461c             mov     eax,dword ptr [esi+1c]
> 74cf497e 8b08               mov     ecx,dword ptr [eax] //Exception




At first glance, doesn't this look like a null pointer reference bug 
rather than a buffer overflow? The message didn't (clearly) specify which 
four bytes of memory the attacker could overwrite and how it would be 
possible to gain control of the program flow. Since you have classified 
this as critical, perhaps you could clarify these points? Does there 
exist a working exploit which does something else than crash IE? Thanks,




-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
jouko () solutions fi                                http://www.secmod.com