[NT] Internet Explorer Compressed Content URL Heap Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Internet Explorer Compressed Content URL Heap Overflow
------------------------------------------------------------------------


SUMMARY

There is an heap overflow vulnerability discovered in Internet Explorer
that allow an attacker to execute arbitrary code on the system of a victim
who attempts to access a malicious URL.

DETAILS

Vulnerable Systems:
* Internet Explorer 6 SP1 with MS06-042 - Windows 2000
* Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1

eEye Digital Security has discovered a heap overflow vulnerability in the
MS06-042 cumulative Internet Explorer update that would allow an attacker
to execute arbitrary code on the system of a victim who attempts to access
a malicious URL. Only Windows 2000 and Windows XP SP1 systems running
Internet Explorer 6 SP1 with the MS06-042 patch applied are vulnerable.

The heap overflow occurs when URLMON.DLL attempts to handle a long URL for
which the web server's response indicated GZIP or deflate encoding. This
means that the user interaction requirement for this attack is negligible,
since clicking a hyperlink, visiting a malicious web page, or even
attempting to view an image for which the source is a malicious URL,
permits exploitation of the vulnerability. Furthermore, the attacker is
not required to control a web server in order to serve up a
specially-crafted response, since any compressed response -- even an
error message -- is sufficient to cause the overflow, regardless of its
content.

URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch for
Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains a
heap buffer overflow vulnerability due to an incongruous use of lstrcpynA.
CMimeFt::Create allocates a 390h-byte heap block for a new instance of
the CMimeFt class, within which there is a 104h (MAX_PATH)-byte ASCII
string buffer at offset +160h:

1A4268DD push 390h ; cb
1A4268E2 call ??2@YAPAXI@Z ; operator new(uint)

When an access to a URL elicits a GZIP- or deflate-encoded response from
the web server, CMimeFt::Start will attempt to copy the URL into the
104h-byte string buffer using the lstrcpynA API function, but it passes a
maximum length argument of 824h (2084 decimal), a value typically used as
the maximum length of a URL:

1A426199 push 824h ; iMaxLength
1A42619E push eax ; lpString2
1A42619F add esi, 160h
1A4261A5 push esi ; lpString1
1A4261A6 call ds:lstrcpynA

As a result, fields within the CMimeFt class instance as well as the
contents of adjacent heap blocks can be overwritten with attacker-supplied
data from the malicious URL.

URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH
both as the buffer size and as the maximum copy length, while URLMON.DLL
in the patch for Windows XP SP2 and Windows 2003 uses 824h in both places.

This issue was originally documented as an Internet Explorer crash in
Microsoft Knowledge Base Article
<http://support.microsoft.com/?kbid=923762> KB923762 (Revision 2.0 as of
August 21st), in response to numerous reports of conflicts between the
MS06-042 patch and various HTTP-based software products, dating back to at
least August 11th. eEye independently discovered the flaw on August 15th
and subsequently reported it to Microsoft on the 17th.

Vendor Status:
Microsoft has released a new version of the MS06-042 patch to correct this
vulnerability.
The revised patch is available at:
<http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx>
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx.

Note:
Installing the original release of the MS06-042 update causes a system to
become vulnerable, so the version 2.0 release of the MS06-042 patch will
need to be applied in order to secure that system.

Systems with the hotfix described in Microsoft Knowledge Base Article
<http://support.microsoft.com/?kbid=923762> KB923762 applied are not
susceptible to this vulnerability, although the MS06-042 v2.0 patch should
still be installed on these systems.

Disclosure Timeline:
* August 24, 2006 - Release.
* August 17, 2006 - Reported


ADDITIONAL INFORMATION

The information has been provided by eEye.
The original article can be found at:
<http://research.eeye.com/html/advisories/published/AD20060824.html>
http://research.eeye.com/html/advisories/published/AD20060824.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages