[NT] Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption
Vulnerability
------------------------------------------------------------------------


SUMMARY

The
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/wininet/portal.asp> WinInet module provides access to common Internet protocols, including FTP and HTTP, allowing a programmers to add this functionality to their code without having to re-impelement the details. As an part of the base operating system, it is used in many applications including Microsoft's Internet Explorer.

Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll'
FTP client code could allow an attacker to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Internet Explorer 6 on the following Microsoft operating systems, with
all security patches applied as of May 2006, are affected.
* Windows 2000 Advanced Server SP4
* Windows XP SP2
* Windows Server 2003 Enterprise Edition SP1

* This vulnerability appears to have existed from at least Internet
Explorer 5.0.
* It is suspected that all versions of Internet Explorer on all supported
platforms are affected.

The vulnerability specifically exists in the parsing of reply lines from
remote FTP servers. During an FTP session, the client makes requests for
the server to perform some operation and the server responds with a
numeric code, a human readable message and possibly some other
information. As there can be multiple lines in a reply, code in the client
breaks the reply up into lines, putting a null byte (character 0x00) after
any end of line character. In the case where a line ends exactly on the
last character of the reply buffer, the terminating null byte is written
outside of the allocated space, overwriting a byte of the heap management
structure. By sending a specially crafted series of replys to the client,
the heap may be corrupted in a controlled way to cause the execution of
arbitrary code.

Successful remote exploitation of this vulnerability would allow a
attacker to execute arbitrary commands in the context of the currently
logged in user.

In order to exploit this vulnerability, the attacker must convince the
target to follow a link in a program which uses the vulnerable functions,
such as Internet Explorer, Word, or Outlook. For any of these applications
it is sufficient to embed an image linked to a malicious ftp server, but
for modern versions of Outlook, the image will not render unless the user
allows it.

The portion of the heap management structure overwritten is used to
determine the length of the allocation it refers to. In combination with
another less severe vulnerability in the FTP code, which allows a remote
attacker to see a valid memory address, it may be possible to cause
reliable remote exploitation.

Workaround:
Blocking outgoing port 21 (ftp) requests is not effective, as this it is
possible to supply an ftp URL with an alternative port. It may be possible
to limit exposure to this vulnerability by configuring systems to use a
proxy server for all ftp requests and only allowing white-listed sites.

Vendor Status:
Microsoft has addressed this vulnerability within
<http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx>
MS07-016.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0217>
CVE-2007-0217

Disclosure Timeline:
* 08/16/2006 - Initial vendor notification
* 08/16/2006 - Initial vendor response
* 10/05/2006 - Second vendor notification
* 02/13/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=473



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.