NGSSoftware Insight Security Research Advisory Name: Microsoft Internet Explorer Install Engine Control Buffer Overflow Systems Affected: Microsoft Internet Explorer 5.x/6.x Severity: High Vendor URL: http://www.microsoft.com/ Author: Peter Winter-Smith [ peter@ngssoftware.com ] Date of Public Advisory: 19th January 2004 Advisory number: #NISR19012005a Advisory URL: http://www.ngssoftware.com/advisories/msinsengfull.txt Reference: http://www.ngssoftware.com/advisories/msinsengdll.txt Description *********** All versions of Microsoft Windows, with Microsoft Internet Explorer, come packaged with the Microsoft Active Setup/Install Engine components. These components are marked as safe for scripting and can be invoked by default from any basic web-page. The Install Engine control has been found to be vulnerable to an integer overflow, leading to a heap based buffer overflow which could allow an attacker to run arbitrary code on a vulnerable system through a specially crafted web-page or through a specially crafted HTML email if scripting is enabled. Details ******* When calling the SetCifFile() method provided by the Active Setup Controls ActiveX component 'asctrls.ocx', if the first parameter (the '.cab' file name) is a string of a length in excess of about 2kb, an integer overflow occurs when attempting to calculate the buffer space allowed for copying the base url. The vulnerable code path will only be executed if the 'BaseURL' property has previously been set. The value stored as this property is the first string which can be made to overflow the heap. After the base url is copied into the buffer, the string which we have provided as the cab file name is concatenated onto the end of our buffer without any length checking, making it the second string which can overflow the heap. The vulnerable code is located within the Install Engine Control module ('inseng.dll') which is provided with the Active Setup Controls component, both of which can be found in the 'System32' folder in the Windows directory. The vulnerable code can be seen below: MOV EBX,DWORD PTR DS:[<&KERNEL32.lstrcpynA>] ; kernel32.lstrcpynA() ... PUSH DWORD PTR SS:[EBP+C] ; /String = Cab file name AND BYTE PTR DS:[ESI],0 ; | CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA() MOV ECX,822 ; Max buffer size SUB ECX,EAX ; Calculate remaining buffer space - integer overflow! PUSH ECX ; /n = Unchecked value - remaining buffer space! PUSH DWORD PTR SS:[EBP-8] ; |String2 = BaseURL property value PUSH ESI ; |String1 = 0x822 bytes heap buffer CALL EBX ; \lstrcpynA() MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA() PUSH inseng.66561C84 ; /StringToAdd = "/" PUSH ESI ; |ConcatString = Our heap buffer CALL EDI ; \lstrcatA() PUSH DWORD PTR SS:[EBP+C] ; /StringToAdd = Our Cab file name PUSH ESI ; |ConcatString = Our heap buffer CALL EDI ; \lstrcatA() Fix Information *************** Microsoft have released an update for Microsoft Internet Explorer which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx A check for this vulnerability has been added to Typhon III, NGSSoftware's advanced vulnerability assessment scanner. For more information please visit the NGSSoftware website at http://www.ngssoftware.com/ About NGSSoftware ***************** NGSSoftware design, research and develop intelligent, advanced application security assessment scanners. Based in the United Kingdom, NGSSoftware have offices in the South of London and the East Coast of Scotland. NGSSoftware's sister company NGSConsulting, offers best of breed security consulting services, specialising in application, host and network security assessments. http://www.ngssoftware.com/ Telephone +44 208 401 0070 Fax +44 208 401 0076 enquiries@ngssoftware.com