[NT] Microsoft Internet Explorer Install Engine Control Buffer Overflow (MS04-038)

From: SecuriTeam (support_at_securiteam.com)
Date: 01/23/05

  • Next message: SecuriTeam: "[NT] RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability" 
    To: list@securiteam.com
Date: 23 Jan 2005 16:43:55 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Internet Explorer Install Engine Control Buffer Overflow
    (MS04-038)
    ------------------------------------------------------------------------

    SUMMARY

    All versions of Microsoft Windows, with Microsoft Internet Explorer, come
    packaged with the Microsoft Active Setup/Install Engine components. These
    components are marked as safe for scripting and can be invoked by default
    from any basic web-page.

    The Install Engine control has been found to be vulnerable to an integer
    overflow, leading to a heap based buffer overflow which could allow an
    attacker to run arbitrary code on a vulnerable system through a specially
    crafted web-page or through a specially crafted HTML email if scripting is
    enabled.

    DETAILS

    When calling the SetCifFile() method provided by the Active Setup Controls
    ActiveX component 'asctrls.ocx', if the first parameter (the '.cab' file
    name) is a string of a length in excess of about 2kb, an integer overflow
    occurs when attempting to calculate the buffer space allowed for copying
    the base URL.

    The vulnerable code path will only be executed if the 'BaseURL' property
    has previously been set. The value stored as this property is the first
    string which can be made to overflow the heap.

    After the base URL is copied into the buffer, the string which we have
    provided as the cab file name is concatenated onto the end of our buffer
    without any length checking, making it the second string which can
    overflow the heap.

    The vulnerable code is located within the Install Engine Control module
    ('inseng.dll') which is provided with the Active Setup Controls component,
    both of which can be found in the 'System32' folder in the Windows
    directory.

    The vulnerable code can be seen below:
    MOV EBX,DWORD PTR DS:[<&KERNEL32.lstrcpynA>] ; kernel32.lstrcpynA()

        ...

    PUSH DWORD PTR SS:[EBP+C] ; /String = Cab file name
    AND BYTE PTR DS:[ESI],0 ; |
    CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA()

    MOV ECX,822 ; Max buffer size
    SUB ECX,EAX ; Calculate remaining buffer space - integer overflow!

    PUSH ECX ; /n = Unchecked value - remaining buffer space!
    PUSH DWORD PTR SS:[EBP-8] ; |String2 = BaseURL property value
    PUSH ESI ; |String1 = 0x822 bytes heap buffer
    CALL EBX ; \lstrcpynA()

    MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA()
    PUSH inseng.66561C84 ; /StringToAdd = "/"
    PUSH ESI ; |ConcatString = Our heap buffer
    CALL EDI ; \lstrcatA()

    PUSH DWORD PTR SS:[EBP+C] ; /StringToAdd = Our Cab file name
    PUSH ESI ; |ConcatString = Our heap buffer
    CALL EDI ; \lstrcatA()

    Fix Information:
    Microsoft have released an update for Microsoft Internet Explorer which is
    set to address this issue. This can be downloaded from:
    <http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nisr@nextgenss.com>
    NGSSoftware Insight Security Research.
    The original article can be found at:
    <http://www.ngssoftware.com/advisories/msinsengfull.txt>
    http://www.ngssoftware.com/advisories/msinsengfull.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability"

    Relevant Pages