OVERVIEW
========

The code used in Microsoft Internet Explorer to parse web servers' HTTP 
replies contains a buffer overflow vulnerability. Specifically the faulty 
code is located in URLMON.DLL. A malicious user may exploit this 
vulnerability to execute arbitrary code on an IE user's system.



DETAILS
=======

HTTP is the protocol used in communication between web servers and web 
browsers. When a web page is viewed, the browser sends a HTTP request to 
the server in question. The server then sends a HTTP reply which usually 
contains the web page the browser requested. In addition to the 
document body which is shown to the user, the HTTP reply contains some 
header fields which e.g. specify how the document should be presented to 
the user.

Due to missing or insufficient input validation, a buffer overflow 
takes place in Internet Explorer when it receives a HTTP reply 
with excessively long values in certain header fields. A buffer placed 
on stack gets overrun and a malicious reply may overwrite data, 
including the subroutine's return address, and thus direct the program 
execution to an arbitrary address. The vulnerability is a traditional 
stack-based buffer overflow and relatively easy to exploit.

This vulnerability can be used by an attacker to run any code in the 
system of the victim viewing a special web page with Internet Explorer or 
reading mail with Outlook or Outlook Express. More details will be 
published later.



SOLUTION
========

The vendor was informed about the bug on March 16, 2003. Microsoft has 
classified this vulnerability as critical and published a bulletin 
and patch correcting the issue. These are available at

  http://www.microsoft.com/technet/security/bulletin/MS03-015.asp

The information in the "Mitigating factors" section of Microsoft's 
bulletin claiming that this vulnerability isn't exploitable by e-mail 
borne attacks is incorrect. Test exploits have been produced for 
WWW, Outlook, and Outlook Express attack scenarios. In each of the 
cases, the exploit code runs without further user interaction on the 
victim system. Furthermore, no e-mail attachments or any kind of 
scripting are needed since the attack can be carried out via a standard 
HTML. In fact merely starting the e-mail program can lead to exploitation 
because (depending on configuration) it may automatically open the first 
new message.



CREDITS
=======

The vulnerability was discovered by Jouko Pynnönen of Oy Online Solutions 
Ltd, Finland. It was demonstrated on 25th April at Kontakti.net's 
"Tekninen Tietoturva" seminar in Helsinki.



-- 
Jouko Pynnonen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi      http://www.solutions.fi    http://www.secmod.com