what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2007-02-13.t

iDEFENSE Security Advisory 2007-02-13.t
Posted Feb 14, 2007
Authored by iDefense Labs, Greg MacManus | Site idefense.com

iDefense Security Advisory 02.13.07 - Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll' FTP client code could allow an attacker to execute arbitrary code. The vulnerability specifically exists in the parsing of reply lines from remote FTP servers. During an FTP session, the client makes requests for the server to perform some operation and the server responds with a numeric code, a human readable message and possibly some other information. As there can be multiple lines in a reply, code in the client breaks the reply up into lines, putting a null byte (character 0x00) after any end of line character. In the case where a line ends exactly on the last character of the reply buffer, the terminating null byte is written outside of the allocated space, overwriting a byte of the heap management structure. By sending a specially crafted series of replys to the client, the heap may be corrupted in a controlled way to cause the execution of arbitrary code.

tags | advisory, remote, arbitrary
advisories | CVE-2007-0217
SHA-256 | d22eb45fb37255371e9e850913d16605ad17aba88ae9adde20de88175b31549f

iDEFENSE Security Advisory 2007-02-13.t

Change Mirror Download
Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption
Vulnerability

iDefense Security Advisory 02.13.07
http://labs.idefense.com/intelligence/vulnerabilities/
Feb 13, 2007

I. BACKGROUND

The WinInet module provides access to common Internet protocols, including
FTP and HTTP, allowing a programmers to add this functionality to their
code without having to re-impelement the details. As an part of the base
operating system, it is used in many applications including Microsoft's
Internet Explorer. More information on the WinInet module is available at
the following link:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wininet/wininet/portal.asp

II. DESCRIPTION

Remote exploitation of a design error in Microsoft Corp.'s 'wininet.dll'
FTP client code could allow an attacker to execute arbitrary code.

The vulnerability specifically exists in the parsing of reply lines from
remote FTP servers. During an FTP session, the client makes requests for
the server to perform some operation and the server responds with a
numeric code, a human readable message and possibly some other
information. As there can be multiple lines in a reply, code in the client
breaks the reply up into lines, putting a null byte (character 0x00) after
any end of line character. In the case where a line ends exactly on the
last character of the reply buffer, the terminating null byte is written
outside of the allocated space, overwriting a byte of the heap management
structure. By sending a specially crafted series of replys to the client,
the heap may be corrupted in a controlled way to cause the execution of
arbitrary code.

III. ANALYSIS

Successful remote exploitation of this vulnerability would allow a attacker
to execute arbitrary commands in the context of the currently logged in
user.

In order to exploit this vulnerability, the attacker must convince the
target to follow a link in a program which uses the vulnerable functions,
such as Internet Explorer, Word, or Outlook. For any of these applications
it is sufficient to embed an image linked to a malicious ftp server, but
for modern versions of Outlook, the image will not render unless the user
allows it.

In testing by iDefense Labs, server responses were generated which put
controlled values into controlled memory locations in Internet Explorer,
with varying degrees of success on a system running Windows XP SP2.
Although methods applied during initial testing were unreliable, they did
indicate that it was possible to use this vulnerability to cause code
execution.

The portion of the heap management structure overwritten is used to
determine the length of the allocation it refers to. In combination with
another less severe vulnerability in the FTP code, which allows a remote
attacker to see a valid memory address, it may be possible to cause
reliable remote exploitation.

IV. DETECTION

iDefense has verified that Internet Explorer 6 on the following Microsoft
operating systems, with all security patches applied as of May 2006, are
affected:

Windows 2000 Advanced Server SP4
Windows XP SP2
Windows Server 2003 Enterprise Edition SP1

This vulnerability appears to have existed from at least Internet Explorer
5.0. It is suspected that all versions of Internet Explorer on all
supported platforms are affected.

V. WORKAROUND

iDefense is unaware of any effective workarounds for this vulnerability.
Blocking outgoing port 21 (ftp) requests is not effective, as this it is
possible to supply an ftp URL with an alternative port. It may be possible
to limit exposure to this vulnerability by configuring systems to use a
proxy server for all ftp requests and only allowing white-listed sites.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-016. For more
information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-016.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0217 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/16/2006 Initial vendor notification
08/16/2006 Initial vendor response
10/05/2006 Second vendor notification
02/13/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close