[REVS] CDT Plug-in Bug and How to Exploit Vulnerabilities Using Only ASCII Character Set
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 16 Jul 2003 11:44:08 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security in Canada
Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
We welcome ISPs, system integrators and IT systems resellers
to promote the most advanced vulnerability assessment solutions today.
Contact us at 416-482-0038 or at email@example.com
- - - - - - - - -
CDT Plug-in Bug and How to Exploit Vulnerabilities Using Only ASCII
This whitepaper describes creation of exploit for classic buffer overrun
using only subset of ASCII characters.
Netscape 7.02 ships with Client Detection Tool (CDT) plug-in (npcdt.dll)
that handles application/x-cdt mime type. One of routines in the npcdt.dll
is suffers from classic buffer overrun. Overrun occurs when overly long
string is passed to vulnerable routine. This string is essentially full
path to temporary folder where attachments are saved when browsing mail
message. Below is fragment of vulnerable routine code that is derived from
sub_100016FF proc near
var_100 = byte ptr -100h
arg_0 = dword ptr 8
arg_8 = dword ptr 10h
mov ebp, esp
sub esp, 100h
push [ebp+arg_8] // Full path to CDT file in TMP
mov eax, [ebp+arg_0]
push dword ptr [eax+8] // "http://www.mozilla.org"
lea eax, [ebp+var_100]
push offset aFileAvailableF ; "### File available for %s: %s\n"
add esp, 10h
xor eax, eax
As we see 256 bytes are allocated for local variables and length of
arguments is not checked.
The main problem is that we cannot fully control arguments passed to the
function: we can control only part of one argument. This argument is full
path to Windows temporary folder and name of CDT file that is created when
mail with attachment of application/x-cdt mime type if viewed by user.
Example of second argument value:
C:\Documents and Settings\martin\Local
AAAAtskill.exe netscp && cmd.exe ATX-%UUU-%UUUFVUUhAAAAZ0TX!
To exploit this bug we need to create mail with attachment of
application/x-cdt mime type and filename that contains exploit code.
Filename including extension cannot exceed 218 symbols in length under
Windows Server 2003 and cannot contain some special characters like >, <,
\ and so on. In addition, filename cannot contain non-ASCII symbols to
make exploit working. Finally, we need to know length of path to TEMP
folder to code the exploit. This is equivalent to length of username
because rest of path is known for given operating system if default
settings are used. Also Martin was unable to find JMP ESP/CALL ESP opcodes
in loaded Netscape modules with acceptable address (note that acceptable
here means ASCII with mentioned above restrictions) so proof-of-concept
exploit is bound to operating system, here Windows Server 2003 Enterprise
The main idea is to represent "shellcode" with subset of ASCII characters.
There are programs that translate ordinal byte code to byte code that
consists only of "ASCII" symbols. However, such programs normally produce
code that is significantly greater in size than original. Due to this fact
proof-of concept exploit is coded manually.
Here is described what it does:
1. Upon exit of vulnerable routine in CDT plug-in return address is
overwritten with JMP ESP opcode address in shell32.dll.
2. After JMP ESP we land almost at the end of our code and have about 26
bytes. In this area exploit only decodes bytes to make short jump back to
3. Now we have more area - about 94 bytes. Here exploit decodes CALL
system opcodes where system is C run time function to execute OS commands
(implemented in msvcrt.dll).
4. System function executes command that is hard-coded into exploit code:
tskill.exe netscp && cmd.exe. Here tskill.exe terminates Netscape to avoid
cleanup coding and cmd.exe launches command prompt.
Definitely this is not best approach - better would be write decoder for
ASCII bytes and make resulting exploit smaller, try to make it less
platform dependant and make a call to ExitProcess. However, remember that
this is a proof-of-concept code. Below is mail message with sample
Subject: CDT bug Exploit
Date: Mon, 14 Jul 2003 06:54:20 +0400
This is a multi-part message in MIME format.
&& cmd.exe ATX-%UUU-%UUUFVUUhAAAAZ0TX!
TEST MESSAGE ONLY
Because text is wrapped copy of this is available at:
This exploit was tested on Windows Server 2003 Enterprise Edition English
while logged on as user with 6 symbols username running Netscape 7.02. To
send such message one may use telnet to SMTP server because some mail
clients (Outlook Express) change Content-Type from application/x-cdt upon
sending if Content-Type was set manually in saved message text.
Manually remove CDT plug-in from /components directory or upgrade to
latest version of Netscape browser that has CDT plug-in removed.
The original whitepaper can be downloaded from:
The information has been provided by <mailto:firstname.lastname@example.org> Martin
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.