[Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution

gta_at_hush.com
Date: 02/15/04

  • Next message: Ganbold: "Re: [Full-Disclosure] Re: Microsoft Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)"
    To: full-disclosure@lists.netsys.com
    Date: Sat, 14 Feb 2004 22:08:59 -0800
    
    
    

    I downloaded the Microsoft source code. Easy enough. It's a lot
    bigger than Linux, but there were a lot of people mirroring it and so
    it didn't take long.

    Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS.
    For example, in win2k/private/inet/mshtml/src/site/download/imgbmp.cxx:

        // Before we read the bits, seek to the correct location in the file
        while (_bmfh.bfOffBits > (unsigned)cbRead)
        {
            BYTE abDummy[1024];
            int cbSkip;

            cbSkip = _bmfh.bfOffBits - cbRead;
            
            if (cbSkip > 1024)
                cbSkip = 1024;

            if (!Read(abDummy, cbSkip))
                goto Cleanup;
                
            cbRead += cbSkip;
        }

    .. Rrrrriiiiggghhhttt. Way to go, using a signed integer for an
    offset. Now all we have to do is create a BMP with bfOffBits > 2^31,

    and we're in. cbSkip goes negative and the Read call clobbers the
    stack with our data.

    See attached for proof of concept. index.html has [img src=1.bmp]
    where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
    Bring it up in IE5 (tested successfully on Win98) and get
    EIP=0x44332211.

    IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
    worm will have to wait a bit...

    .gta
    PROPS TO the Fort and HAVE IT BE YOU.

    
    
    

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html




  • Next message: Ganbold: "Re: [Full-Disclosure] Re: Microsoft Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007)"