exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

EEYE-MS06-042-2.txt

EEYE-MS06-042-2.txt
Posted Aug 28, 2006
Authored by Derek Soeder | Site eeye.com

eEye Digital Security has discovered a heap overflow vulnerability in the MS06-042 cumulative Internet Explorer update that would allow an attacker to execute arbitrary code on the system of a victim who attempts to access a malicious URL. Only Windows 2000 and Windows XP SP1 systems running Internet Explorer 6 SP1 with the MS06-042 patch applied are vulnerable.

tags | advisory, overflow, arbitrary
systems | windows
SHA-256 | 140740018944f8f8fb1cd1ce93819ababbcebc675a58daa37730a7bec43591c1

EEYE-MS06-042-2.txt

Change Mirror Download
Internet Explorer Compressed Content URL Heap Overflow Vulnerability

Release Date:
August 24, 2006

Date Reported:
August 17, 2006

Severity:
High (Code Execution)

Systems Affected:
Internet Explorer 6 SP1 with MS06-042 - Windows 2000
Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
the MS06-042 cumulative Internet Explorer update that would allow an
attacker to execute arbitrary code on the system of a victim who
attempts to access a malicious URL. Only Windows 2000 and Windows XP SP1
systems running Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable.

The heap overflow occurs when URLMON.DLL attempts to handle a long URL
for which the web server's response indicated GZIP or deflate encoding.
This means that the user interaction requirement for this attack is
negligible, since clicking a hyperlink, visiting a malicious web page,
or even attempting to view an image for which the source is a malicious
URL, permits exploitation of the vulnerability. Furthermore, the
attacker is not required to control a web server in order to serve up a
specially-crafted response, since any compressed response -- even an
error message -- is sufficient to cause the overflow, regardless of its
content.

Technical Details:
URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch
for Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains
a heap buffer overflow vulnerability due to an incongruous use of
lstrcpynA. CMimeFt::Create allocates a 390h-byte heap block for a new
instance of the CMimeFt class, within which there is a 104h
(MAX_PATH)-byte ASCII string buffer at offset +160h:

1A4268DD push 390h ; cb
1A4268E2 call ??2@YAPAXI@Z ; operator new(uint)

When an access to a URL elicits a GZIP- or deflate-encoded response from
the web server, CMimeFt::Start will attempt to copy the URL into the
104h-byte string buffer using the lstrcpynA API function, but it passes
a maximum length argument of 824h (2084 decimal), a value typically used
as the maximum length of a URL:

1A426199 push 824h ; iMaxLength
1A42619E push eax ; lpString2
1A42619F add esi, 160h
1A4261A5 push esi ; lpString1
1A4261A6 call ds:lstrcpynA

As a result, fields within the CMimeFt class instance as well as the
contents of adjacent heap blocks can be overwritten with
attacker-supplied data from the malicious URL.

URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH
both as the buffer size and as the maximum copy length, while URLMON.DLL
in the patch for Windows XP SP2 and Windows 2003 uses 824h in both
places.

This issue was originally documented as an Internet Explorer crash in
Microsoft Knowledge Base Article KB923762
(http://support.microsoft.com/?kbid=923762; Revision 2.0 as of August
21st), in response to numerous reports of conflicts between the MS06-042
patch and various HTTP-based software products, dating back to at least
August 11th. eEye independently discovered the flaw on August 15th and
subsequently reported it to Microsoft on the 17th.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.

Vendor Status:
Microsoft has released a new version of the MS06-042 patch to correct
this vulnerability. The revised patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx.

Note that installing the original release of the MS06-042 update causes
a system to become vulnerable, so the version 2.0 release of the
MS06-042 patch will need to be applied in order to secure that system.

Systems with the hotfix described in Microsoft Knowledge Base Article
KB923762 (http://support.microsoft.com/?kbid=923762) applied are not
susceptible to this vulnerability, although the MS06-042 v2.0 patch
should still be installed on these systems.

Credit:
Derek Soeder

Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial

Greetings:
Unexpected exits.

Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close