Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a)

From: NGSSoftware Insight Security Research (nisr_at_nextgenss.com)
Date: 01/19/05

  • Next message: nemo_at_felinemenace.org: "Darwin Kernel Vulnerability"
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Wed, 19 Jan 2005 16:57:30 -0000
    
    

    NGSSoftware Insight Security Research Advisory

    Name: Microsoft Internet Explorer Install Engine Control Buffer Overflow
    Systems Affected: Microsoft Internet Explorer 5.x/6.x
    Severity: High
    Vendor URL: http://www.microsoft.com/
    Author: Peter Winter-Smith [ peter@ngssoftware.com ]
    Date of Public Advisory: 19th January 2004
    Advisory number: #NISR19012005a
    Advisory URL: http://www.ngssoftware.com/advisories/msinsengfull.txt
    Reference: http://www.ngssoftware.com/advisories/msinsengdll.txt

    Description
    ***********

    All versions of Microsoft Windows, with Microsoft Internet Explorer, come
    packaged with the Microsoft Active Setup/Install Engine components. These
    components are marked as safe for scripting and can be invoked by default
    from any basic web-page.

    The Install Engine control has been found to be vulnerable to an integer
    overflow, leading to a heap based buffer overflow which could allow an
    attacker to run arbitrary code on a vulnerable system through a specially
    crafted web-page or through a specially crafted HTML email if scripting is
    enabled.

    Details
    *******

    When calling the SetCifFile() method provided by the Active Setup Controls
    ActiveX component 'asctrls.ocx', if the first parameter (the '.cab' file
    name) is a string of a length in excess of about 2kb, an integer overflow
    occurs when attempting to calculate the buffer space allowed for copying
    the base url.

    The vulnerable code path will only be executed if the 'BaseURL' property
    has previously been set. The value stored as this property is the first
    string which can be made to overflow the heap.

    After the base url is copied into the buffer, the string which we have
    provided as the cab file name is concatenated onto the end of our buffer
    without any length checking, making it the second string which can
    overflow the heap.

    The vulnerable code is located within the Install Engine Control module
    ('inseng.dll') which is provided with the Active Setup Controls component,
    both of which can be found in the 'System32' folder in the Windows
    directory.

    The vulnerable code can be seen below:

    MOV EBX,DWORD PTR DS:[<&KERNEL32.lstrcpynA>] ; kernel32.lstrcpynA()

        ...

    PUSH DWORD PTR SS:[EBP+C] ; /String = Cab file name
    AND BYTE PTR DS:[ESI],0 ; |
    CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA()

    MOV ECX,822 ; Max buffer size
    SUB ECX,EAX ; Calculate remaining buffer space - integer overflow!

    PUSH ECX ; /n = Unchecked value - remaining buffer space!
    PUSH DWORD PTR SS:[EBP-8] ; |String2 = BaseURL property value
    PUSH ESI ; |String1 = 0x822 bytes heap buffer
    CALL EBX ; \lstrcpynA()

    MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA()
    PUSH inseng.66561C84 ; /StringToAdd = "/"
    PUSH ESI ; |ConcatString = Our heap buffer
    CALL EDI ; \lstrcatA()

    PUSH DWORD PTR SS:[EBP+C] ; /StringToAdd = Our Cab file name
    PUSH ESI ; |ConcatString = Our heap buffer
    CALL EDI ; \lstrcatA()

    Fix Information
    ***************

    Microsoft have released an update for Microsoft Internet Explorer which is
    set to address this issue. This can be downloaded from:

    http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

    A check for this vulnerability has been added to Typhon III, NGSSoftware's
    advanced vulnerability assessment scanner. For more information please
    visit the NGSSoftware website at http://www.ngssoftware.com/

    About NGSSoftware
    *****************

    NGSSoftware design, research and develop intelligent, advanced application
    security assessment scanners. Based in the United Kingdom, NGSSoftware
    have offices in the South of London and the East Coast of Scotland.
    NGSSoftware's sister company NGSConsulting, offers best of breed security
    consulting services, specialising in application, host and network
    security assessments.

    http://www.ngssoftware.com/

    Telephone +44 208 401 0070
    Fax +44 208 401 0076

    enquiries@ngssoftware.com


  • Next message: nemo_at_felinemenace.org: "Darwin Kernel Vulnerability"

    Relevant Pages