[NT] Microsoft IE/Office for Mac OS Buffer Overflow Vulnerability

From: support@securiteam.com
Date: 04/16/02


From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 16 Apr 2002 11:29:53 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Microsoft IE/Office for Mac OS Buffer Overflow Vulnerability
------------------------------------------------------------------------

SUMMARY

There is a vulnerability in multiple Microsoft products on Mac OS. The
problem lies in the handling of a lengthy subdirectory in the file://
directive, such as file:///AAAAAA[...] or file://A/A/A/A/[...]. The number
of subdirectories is trivial as long as there is at least one.

DETAILS

Vulnerable systems:
Microsoft Internet Explorer
Versions affected: 5.1
Platforms affected: Mac OS 8, 9, and X

Microsoft Outlook Express
Versions affected: 5.0.2
Platforms affected: all Mac OS

Microsoft Entourage
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsoft PowerPoint
Versions affected: 98, 2001, and X
Platforms affected: all Mac OS

Microsoft Excel
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsoft Word
Versions affected: 2001
Platforms affected: all Mac OS

Prelude:
A bug in Internet Explorer for Mac OS X was originally reported to
Microsoft by Josha Bronson of Angry Packet Security on January 4, 2002.

Due to some internal mishandling at Microsoft, this was brushed off until
w00w00 informed Microsoft of its intention to release the information on
February 17. We originally gave them a deadline of two weeks until we
discovered that this affected Entourage (the Outlook equivalent for Mac
OS). When Microsoft determined this affected most of their Office suite on
Mac OS, we felt it was appropriate to give them time to fix it.

Implications:
This is another vulnerability with potentially far reaching consequences.
In the case of Entourage, it has the potential for a worm, with the
magnitude depending on how many people actually use Entourage (Microsoft's
Outlook equivalent for Mac OS). In all cases, writing shellcode to exploit
this problem is simply--much more simple than shellcode for the AOL
Instant Messenger problem we reported in January. Given that Mac OS X has
a Unix interface, existing PowerPC shellcode that runs /bin/sh will work.
No complex shellcode is needed to bind to a port or download an
application off the web. The /bin/sh shellcode would need to be changed
from an interactive shell to one that will execute a chain of commands.
There are enough commands on Mac OS by default to allow an attacker to
download and execute an application off of a web page. The downloaded
application could do any number of things, such as read off the user's
contact list and send the same email to exploit to all of the user's
contacts.

Exploit:
The following HTML file will demonstrate the problem. We chose to use IMG
simply because that is instantly loaded, but an <A HREF=...> could have
been used also. It can also be viewed (in live form) at
<http://www.w00w00.org/files/advisories/ie_sample.html>
http://www.w00w00.org/files/advisories/ie_sample.html.
It overwrites the saved link register that is used for a subroutine's
return address on PowerPC. This will allow remote execution of arbitrary
code. The saved link register is overwritten by the 0x41424344. This
vulnerability will allow up to 1313 characters before the saved link
register. Pure binary data (including NUL bytes) can be used by escaping
it (i.e., A as %41). However, using "%41" will count as three characters,
rather than just one. NOTE: By character, we mean uni-byte characters.

<html>
<body>
<img src=file:///[1313 characters]%41%42%43%44>
</body>
</html>

Patches:
For Internet Explorer, a patch is available from:
 <http://www.apple.com/macosx/upgrade/softwareupdates.html>
http://www.apple.com/macosx/upgrade/softwareupdates.html.
For the other products, the patches can be downloaded from:
 <http://www.microsoft.com/mac/download>
http://www.microsoft.com/mac/download.

ADDITIONAL INFORMATION

The information has been provided by <mailto:shok@dataforce.net> Matt
Conover and w00w00.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Help Please (Was Re: Test)
    ... GOOD ADVICE (ESPECIALLY FOR MICROSOFT USERS) ... likely to remain security risks into the future... ... If you're really paranoid, use a Mac. ...
    (sci.astro.amateur)
  • Re: "VISTA more secure than OSX" (lol)
    ... Microsoft has boasted in a new study that Windows Vista has ... Trustworthy Computing initiative at Microsoft's Security Business ... None of which proves the Mac is more secure. ... in stark contrast to any media report about security breaches in Windows. ...
    (comp.sys.mac.advocacy)
  • Re: Help Please (Was Re: Test)
    ... Outlook Express and Internet Explorer are *not secure* products. ... GOOD ADVICE (ESPECIALLY FOR MICROSOFT USERS) ... likely to remain security risks into the future... ... If you're really paranoid, use a Mac. ...
    (sci.astro.amateur)
  • Re: Mac advertising vs. ideas for VMS advertising
    ... >> Previous advertising was for iMacs. ... >> not TV) touting the lack of virii or other security features of Mac ... So Microsoft has a better case to advertise its security than Apple ...
    (comp.os.vms)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)