|
This is a multi-part message in MIME format.
------_=_NextPart_001_01C6C7B4.7E5B8221
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Internet Explorer Compressed Content URL Heap Overflow Vulnerability
Release Date:
August 24, 2006
Date Reported:
August 17, 2006
Severity:
High (Code Execution)
Systems Affected:
Internet Explorer 6 SP1 with MS06-042 - Windows 2000
Internet Explorer 6 SP1 with MS06-042 - Windows XP SP1
Overview:
eEye Digital Security has discovered a heap overflow vulnerability in
the MS06-042 cumulative Internet Explorer update that would allow an
attacker to execute arbitrary code on the system of a victim who
attempts to access a malicious URL. Only Windows 2000 and Windows XP SP1
systems running Internet Explorer 6 SP1 with the MS06-042 patch applied
are vulnerable.
The heap overflow occurs when URLMON.DLL attempts to handle a long URL
for which the web server's response indicated GZIP or deflate encoding.
This means that the user interaction requirement for this attack is
negligible, since clicking a hyperlink, visiting a malicious web page,
or even attempting to view an image for which the source is a malicious
URL, permits exploitation of the vulnerability. Furthermore, the
attacker is not required to control a web server in order to serve up a
specially-crafted response, since any compressed response -- even an
error message -- is sufficient to cause the overflow, regardless of its
content.
Technical Details:
URLMON.DLL version 6.0.2800.1565, distributed with the MS06-042 patch
for Internet Explorer 6 SP1 on Windows 2000 and Windows XP SP1, contains
a heap buffer overflow vulnerability due to an incongruous use of
lstrcpynA. CMimeFt::Create allocates a 390h-byte heap block for a new
instance of the CMimeFt class, within which there is a 104h
(MAX_PATH)-byte ASCII string buffer at offset +160h:
1A4268DD push 390h ; cb
1A4268E2 call ??2@YAPAXI@Z ; operator new(uint)
When an access to a URL elicits a GZIP- or deflate-encoded response from
the web server, CMimeFt::Start will attempt to copy the URL into the
104h-byte string buffer using the lstrcpynA API function, but it passes
a maximum length argument of 824h (2084 decimal), a value typically used
as the maximum length of a URL:
1A426199 push 824h ; iMaxLength
1A42619E push eax ; lpString2
1A42619F add esi, 160h
1A4261A5 push esi ; lpString1
1A4261A6 call ds:lstrcpynA
As a result, fields within the CMimeFt class instance as well as the
contents of adjacent heap blocks can be overwritten with
attacker-supplied data from the malicious URL.
URLMON.DLL in the MS06-042 patch for Internet Explorer 5 uses MAX_PATH
both as the buffer size and as the maximum copy length, while URLMON.DLL
in the patch for Windows XP SP2 and Windows 2003 uses 824h in both
places.
This issue was originally documented as an Internet Explorer crash in
Microsoft Knowledge Base Article KB923762
(http://support.microsoft.com/?kbid=923762; Revision 2.0 as of August
21st), in response to numerous reports of conflicts between the MS06-042
patch and various HTTP-based software products, dating back to at least
August 11th. eEye independently discovered the flaw on August 15th and
subsequently reported it to Microsoft on the 17th.
Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.
Vendor Status:
Microsoft has released a new version of the MS06-042 patch to correct
this vulnerability. The revised patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS06-042.mspx.
Note that installing the original release of the MS06-042 update causes
a system to become vulnerable, so the version 2.0 release of the
MS06-042 patch will need to be applied in order to secure that system.
Systems with the hotfix described in Microsoft Knowledge Base Article
KB923762 (http://support.microsoft.com/?kbid=923762) applied are not
susceptible to this vulnerability, although the MS06-042 v2.0 patch
should still be installed on these systems.
Credit:
Derek Soeder
Related Links:
Retina Network Security Scanner - Free Trial
Blink Endpoint Vulnerability Prevention - Free Trial
Greetings:
Unexpected exits.
Copyright (c) 1998-2006 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please email
alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information. In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the
user's own risk.
------_=_NextPart_001_01C6C7B4.7E5B8221
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
eJ8+Ii4TAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEASwAAAEVFWUU6IEludGVybmV0IEV4
cGxvcmVyIENvbXByZXNzZWQgQ29udGVudCBVUkwgSGVhcCBPdmVyZmxvdyBWdWxuZXJhYmlsaXR5
ABsbAQWAAwAOAAAA1gcIABgADAAiACwABABbAQEggAMADgAAANYHCAAYAAwAIwAtAAQAXQEBCYAB
ACEAAAAwOTZCMzZFQzIzNjk1MTQ2QTQyQjlBN0ZBQjQzMzlERAA0BwEDkAYAlBEAAC8AAAALAAIA
AQAAAAMAJgAAAAAAAwA2AAAAAABAADkAII0nWrTHxgEeAD0AAQAAAAEAAAAAAAAAAgFHAAEAAAA7
AAAAYz1VUzthPSA7cD1lRXllIERpZ2l0YWwgU2VjO2w9QVYtTUFJTDAxLTA2MDgyNDE5MzU0NVot
MzkwNAAAHgBwAAEAAABLAAAARUVZRTogSW50ZXJuZXQgRXhwbG9yZXIgQ29tcHJlc3NlZCBDb250
ZW50IFVSTCBIZWFwIE92ZXJmbG93IFZ1bG5lcmFiaWxpdHkAAAIBcQABAAAAFgAAAAHGx7RaHkdW
5aWe3kuEnCApoFMKyOIAAB4AGgwBAAAADgAAAE1hcmMgTWFpZmZyZXQAAAAeAB0OAQAAAEsAAABF
RVlFOiBJbnRlcm5ldCBFeHBsb3JlciBDb21wcmVzc2VkIENvbnRlbnQgVVJMIEhlYXAgT3ZlcmZs
b3cgVnVsbmVyYWJpbGl0eQAAAgEJEAEAAACcCwAAmAsAAP4VAABMWkZ1z/5blQMACgByY3BnMTI1
4jIDQ3RleAVBAQMB9/8KgAKkA+QHEwKAD/MAUARWPwhVB7IRJQ5RAwECAGNo4QrAc2V0MgYABsMR
JfYzBEYTtzASLBEzCO8J97Y7GB8OMDURIgxgYwBQMwsJAWQzNhZQC6YgSccCMASRFCAgRXgLUAWw
8xKBCFBtcBggBBAJgBIhAx0BAjAgVVJMIEhAZWFwIE92BJBmoxewB+BWdWwdQHIBoHEDEGl0eQqi
CoQKgFKMZWwfkBQQIERhDrCCOiE0QXVndXMFQIgyNCwjgDAwNiE6cyJyB/BlcBfBCYAivDF6NyO/
CgZgH+EhASK1SOBpZ2ggKAhQAQAdcVEFkHV0aQIgKScLefkjYGVtELEBIAWQJXgc/0QgNgYAUDEg
A/B0RyjgBeAj8C0wNBRALfQgVwuAZCAwBCAj0QFAzyvvLP8uDwQgWFAxAiE6FR/SdgiQdyK1ZUV5
fyJRKMAhAAdABlEpkCgCIHsT4AQgZAQABaAf4R6RYa82MB+SNsIgE3YgeiALgN4gMXAiUDGnKZBt
IHAigI5pH+Ac7wXAdXBkJOKvMXAigDFACGBsNxFsICInA5EigAGQY2sSgXRvviAOwCmCIlAKwCDQ
dCCwvnI2IAWgKTECIDkzcyrTfTeQZjchNDArgAdwMUBofz4wPZErAAUwBCA+IQDQY+8eYTchAMAg
8GMpwCNQHzLyLh/Abmw2IC66PVEeoEcyXEAlBCBydW4DAG7eZzq/MNs5SwqwdBPQNyB+cAtQCJA3
ERggOCciEC7tITpUOVE3XG9CcAhwBCAHQWAJ8B8yTU9OLkT+TB9gQaoT4C7QIhA3IRewf0cBH0IC
EAXAQWAN4Ejkd9xlYkAgNBEEkCdGkQeQfyVAAIAiUC7BDeAigR6gR/xaSTLgBbEBATpRIlAJ8P8/
cUbxQ8BMYAQAQuAfkAYx/zxTOUIjUBKBC4AdEQDQKbLxUnFxdWkYIAeAHxFQ0r8xcFVxPZQ5AAQg
HUBnIPC/NVBLYSagAJBUwCJQY0MRZmtG8jcxeXAEkCDwbv5rJqA0MACQKbBbE0L4UbL9CrBnWiEF
sSfRPXNB0kbyvz4hNDI9UgdwXbFQzXMIYd9agVjCQuwmoFuBbSEABCD/DsAdoTVhV1NAoTlCODtD
wPwgRghwOUFi8B3BJqA5Qvs9l1libwVAV6UeoD4hBaD/AjADYAMgNzBRuDkCBbAEgf8+ElHzO9E3
IVKgBZAHMUQA+i0FAGEBgB6RUoZaNgBw9z9SHjdShy0ukF40A6AEkHcDYAXAB4FzYAJuwVVxc951
ASBDIR8CaDJhVpE5M/c3piagGCBnCxEiEAQRQKHfYxJoYh8BS5wFkGgDAFNQzQMgRBQgC3BscyK1
TkkHH+EAkD/BNi4wLjKCOCPgLjE1NjUmoP82gT8QWfA+kR6gSL9JxVDS/0c/MOU/wUQ/MlwmoGhi
C3F/YaI3U3kwK1EFwDevOLRk/wpQQiNfwVTBRwBGsENScbKPQKF2ID8QDfB5bkFlYQRDTQdxRnQ6
OkMfGCAk4j0CU1JhojM5MPBoLWJ5JPF/xIWhWUD/UNI3MB1AB+B/YQGQWnJkJfeEhVqhIjBzJqAx
UjkRURcbSsFhkzEuUCjhTUFYQF9QQVRIKYaEQfBTQ0lJQCB5AUcBgBVPPHFAoAPQHVErMRwwaE8i
tSE0ZXBlcDFBLmA26DhERI/ycCNQKOCP8XeGQo/ykbY7OgAMMI+tRR8UQI/xdZEDII/xPz8yCEBZ
QYxAWElAWr2SNG9bgSKABbGH8ShX0PsCMCn7V04CPWJCdEIyHzN/IgBDIUIBNzBTsi6QVAgtv1Sz
bgoDUlFtJqCEh1MBkP8AIDFBlDFBpWgkhBA5Mx9C/1bhPjA5QouihoSNXCNQXvPXOVGDxxDAUI0w
ZkbAV0O/JqB5MXOhScEecWGkeAdw9zogUDAJ8GcxcQrAI0BYE51AoTgjkCjhAdA4NFQh+0MwQvEp
JqBA0QdAggJbcP91gkQBVpE3EVXiIlClHUCjxx9Bjy+QMzE5OZC6psNpkctpTaUgTKWjq99Fm5C6
H5B4kbqSYWxwnbCXjXIOUKvuRo/yYWQeoJ+xEwCQJqCO4rMOQTWwm38AkLGPspQzJbXZMPCT6WR3
djCDxyE6QWGiHlEgcHT/JqBw4CIAuuCKFoj/iCg2Ub9RsJ4yqZRz9XNjtGBqANCvHwKG6HPRA5Fi
chR3KAH3HvExRD2WLXCwSkU8ATcw/5vXQvwhOk5JOR56vx1ptoD/VpEEIIwGgABncEoRqZSAFf0A
kHptIqlvnxOllIoBUSB/T/HH78mJMlsUQH3aI9Ez/8tkpsM5EcxTC1FCgUudVXG7BAGCAXc2UQWw
NUFuqOP/LuA6ER8BqVQDkco/OgAgsG+RETkRhJAFAG9hIAGAIKpLZ2B3IhBkYBFCIjIPBxApsFqw
IlBLQjkySDM3NhRAKGgCQHDYOi8vxNIXwS5jANrFIi5tgS8/ayDQZD3f3NSScCHwXBI/wTJ38Kly
+0ChIyYxI2Cn4TkRUoc+If5upjEDYENhGCAlQnNjaGHvIBBBAQQgwwB0UbBOEcjPH0oRfeGoMAUQ
Q1JIVFT9meBiIjEeoNry1vBKwR5A/wRwGtBCAHixOmGNklkiQjLvBUAiEgVAJhYxMXBDwDTj/y7B
JTAJ8AEAAjDXsjaYOULvVFFNYQOgJhY1pdJ94XCw/mIUEFfA7FTjlB6RpFE+Id/aqD/FJoDrQSE6
UANgDrD/V0MitSHwXFE3MAfA5QAFsPtZQDW3U8LBIJE2M8MAThH/O+RoE99QHwEGkJ9CVXFknP0h
NEJbsh1wLtAlQFbhIFz+IPMAXjJXUx5BXrMf4EQBv+iR8zIEIJvV+A8hOlbsIfsFsZ2xdCNQIrXa
qDZCGCD/IhM3Eofyd2ZkJUlNaDNvgP8rcf2fZUJMYvtR1pAekUnUf1jCqDATkEtSPYEitd1Vd38J
YN498zF1YBQg3bA1xS93eTA9EPQiLzGm3jBSoHj9S5tO8yE8RIgzPRCiFtc2/wGmAx875XGTi2JA
NT4hwwD/bYFK2loxoBR3ZuCSD+9Ja/+eEx1AaATDAUo2abw10Tw130A0S5sqxnmXQXB0cOCxcP9U
MDageREYlNqv27/cz93f/d7uKUorZ2JwsDag46ApsP8IIqADBV6n8bzwQXDhQHnN/nbgkknUkRA8
s+qAniLDAf8OZVOBP8RukUY1S5uFETaA7wh2ddD8APThbx6wymAauvf0EFRiU5BMW8EAVvQf9S39
btBG/AFVQMOAYfD5H/ov9/s6MW8bBUf8AVxSdjfZQP/ZkPNBU4E+UGMRKwyfIddBmyBwi+BjIwCs
wTgtfYH7SFDrg0RZ0SmRMEfypWLi30KgV2JVcYsChpAgguBtQP9TclhkBpJ412PnWMIVgJ3hvxVx
V0BvkHVzRABlYUmkMf9nRBfkK/IYlG1C6EBDccQB/+cQQIHZkG3CaFJukKZk64L7QYKmoHnnEMPh
kRFPgeOR/41xVjRN8GiwDzJtMxrBpnP/P/lDJcxhjgG+gOywpWE4MP1asHVU8kCZSmVisRWEG7D7
dgFANEBFg97hUMNi0zzT/9V7OyDs0AgAhKEtVQZyL5D/yfFf8FdTvadVcaSAW4HGMf9tYfYQWxDW
0UPlZ2Ed0EWy/lUVttZiUXlE0qOwADCF4/+YIZ6wv3PJ8nGyQyOM4djg/1jgaGEsAU8it4AGcYsh
I6T/1uFvgD3xX3CJ8c6wxQReAv9EZIoEcsUk11FpQYKX8FqR/zRzKFGUImZjpCAcgP/gwwH/JfAI
E4eTbVHssATj/9HTMf9h5MVgTTBTwBvRDiEeEDRx/4exw4CiA0QSwUFiQ2hS2UD/o6N5iINTzWFt
sbRgVT9ZlH5BbVGDVVV/i1JHRNPxclonc2F34iHWkGvVdX0BbNAeADUQAQAAAEcAAAA8QTY0MUNF
QUREQkFFQUU0Qzk2RkM1QkY4NTQ2OTUyNjgwMTUxMkQwN0Bhdi1tYWlsMDEuY29ycC5pbnQtZWV5
ZS5jb20+AAADAIAQ/////x8A8xABAAAAogAAAEUARQBZAEUAJQAzAEEAIABJAG4AdABlAHIAbgBl
AHQAIABFAHgAcABsAG8AcgBlAHIAIABDAG8AbQBwAHIAZQBzAHMAZQBkACAAQwBvAG4AdABlAG4A
dAAgAFUAUgBMACAASABlAGEAcAAgAE8AdgBlAHIAZgBsAG8AdwAgAFYAdQBsAG4AZQByAGEAYgBp
AGwAaQB0AHkALgBFAE0ATAAAAAAACwD2EAAAAABAAAcwxx9ZfrTHxgFAAAgwPdBpfrTHxgEDAN4/
n04AAAMA8T8JBAAAHgD4PwEAAAAOAAAATWFyYyBNYWlmZnJldAAAAAIB+T8BAAAAbgAAAAAAAADc
p0DIwEIQGrS5CAArL+GCAQAAAAAAAAAvTz1FRVlFIERJR0lUQUwgU0VDVVJJVFkvT1U9RklSU1Qg
QURNSU5JU1RSQVRJVkUgR1JPVVAvQ049UkVDSVBJRU5UUy9DTj1NTUFJRkZSRVQAAAAeAPo/AQAA
ABUAAABTeXN0ZW0gQWRtaW5pc3RyYXRvcgAAAAACAfs/AQAAAB4AAAAAAAAA3KdAyMBCEBq0uQgA
Ky/hggEAAAAAAAAALgAAAAMA/T/kBAAAAwAZQAAAAAADABpAAAAAAB4AMEABAAAACgAAAE1NQUlG
RlJFVAAAAB4AMUABAAAACgAAAE1NQUlGRlJFVAAAAB4AOEABAAAACgAAAE1NQUlGRlJFVAAAAB4A
OUABAAAAAgAAAC4AAAADAHZA/////wMACVkBAAAACwCHgQggBgAAAAAAwAAAAAAAAEYAAAAADoUA
AAAAAAADAOuBCCAGAAAAAADAAAAAAAAARgAAAAABhQAAAAAAAAsA8IEIIAYAAAAAAMAAAAAAAABG
AAAAAAOFAAAAAAAAAwD6gQggBgAAAAAAwAAAAAAAAEYAAAAAEIUAAAAAAAADAAGCCCAGAAAAAADA
AAAAAAAARgAAAAAYhQAAAAAAAAsAIIIIIAYAAAAAAMAAAAAAAABGAAAAAAaFAAAAAAAACwAhgggg
BgAAAAAAwAAAAAAAAEYAAAAAgoUAAAAAAAALACkAAAAAAAsAIwAAAAAAAwAGEC00jdwDAAcQ/A8A
AAMAEBAAAAAAAwAREAEAAAAeAAgQAQAAAGUAAABJTlRFUk5FVEVYUExPUkVSQ09NUFJFU1NFRENP
TlRFTlRVUkxIRUFQT1ZFUkZMT1dWVUxORVJBQklMSVRZUkVMRUFTRURBVEU6QVVHVVNUMjQsMjAw
NkRBVEVSRVBPUlRFRDpBAAAAAAIBfwABAAAARwAAADxBNjQxQ0VBRERCQUVBRTRDOTZGQzVCRjg1
NDY5NTI2ODAxNTEyRDA3QGF2LW1haWwwMS5jb3JwLmludC1lZXllLmNvbT4AAEu/
------_=_NextPart_001_01C6C7B4.7E5B8221--