VGX.DLL Compressed Content Heap Overflow Vulnerability

Release Date:
August 14, 2007

Date Reported:
October 24, 2006

Severity:
High (Code Execution)

Systems Affected:
Internet Explorer 6 SP1 - Windows 2000 SP4
Internet Explorer 6 SP1 - Windows XP SP1
Internet Explorer 6 SP2 - Windows XP SP2
Internet Explorer 6 SP1 - Windows Server 2003 SP1
Internet Explorer 6 SP2 - Windows Server 2003 SP2

Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
VGX.DLL's processing of compressed content referenced from VML.  VGX.DLL
is the Microsoft component responsible for rendering VML (Vector Markup
Language) within Internet Explorer.

If a user views a malicious web page or HTML e-mail containing VML that
points to compressed content on an attacker-controlled web server, the
attacker can cause a heap overflow within the viewing application,
leading to the execution of arbitrary code.

(Note that, in order to be exploited directly from HTML e-mail, the
victim must attempt to view the malicious e-mail in the Internet Zone,
or with otherwise equivalent security and privacy settings that allow
internet content to be downloaded and displayed.)

Technical Details:
VGX.DLL contains an implementation of the CDownloadSink class that
processes data downloaded from URLs embedded within VML.  For instance,
the following VML will download additional content which will be handled
by VGX.DLL!CDownloadSink::OnDataAvailable:

    <v:rect>
    <v:imagedata src="http://malice/compressed.emz">
    </v:rect>

An integer underflow vulnerability exists within
VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause
URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a
misreported buffer size when handling compressed content.  The second
argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into
CDownloadSink::OnDataAvailable is the total length of all raw
(compressed) data received so far, but the function will subtract the
total length of uncompressed data in its buffer from the total length of
raw data when calculating the read limit to be passed to
URLMON.DLL!CReadOnlyStreamDirect::Read.  Assuming that the data is
larger uncompressed than compressed, an integer underflow can be made to
occur, causing a very large value (roughly 4GB) to be supplied as the
read limit.  If the amount of data subsequently read exceeds the amount
of unused space in the buffer, a heap overflow with arbitrary binary
data will result.

Exploitation requires that CDownloadSink::OnDataAvailable be invoked at
least twice -- once to load the buffer with some non-zero length of
uncompressed data, and a second time to cause the overflow -- so the
compressed data must be received in distinct (e.g., time-separated)
pieces.  Since such divisions may occur legitimately, positively
identifying attempts to exploit this vulnerability are difficult, and
conversely, even legitimate web sites may cause a non-malicious heap
overflow to occur.

Internet Explorer 7 silently fixed the vulnerability roughly ten months
ago, due to a change in URLMON.DLL's behavior when reading compressed
content.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability.  The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx

Credit:
Discovery: Ben Nagy and Derek Soeder
Research: Derek Soeder

Related Links:
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Home Use:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html

Greetings:
Tony B. for contributing the site.  Jennifer, Barnz, Reverse, Karl,
Dave, Steve, Glenn, Eric, Ryan, Saeed, Daniel, and Yuji.  Greg rocks!
(where were you in 2003?)  The Cygnet.

Copyright (c) 1998-2007 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically.  It is not to be edited in any way without express
consent of eEye.  If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.