|
Vulnerability SmartDownload Affected Netscape SmartDownload 1.3 Description Following was submitted to vulnhelp@securityfocus.com on 2nd March by Craig Davison, Ryan Russell and Bruce Leidl. Also it was discovered independently by Frank Swiderski and described in an @stake advisory which was released on 13 April, 2001. A buffer overflow present in a DLL used by Netscape SmartDownload is exploitable even if the software is disabled. Successfully exploiting the buffer overflow in sdph20.dll would allow an attacker to execute arbitrary code as the currently logged in user. In Windows 95/98/Me, this means privileged access to all resources on the target host. Netscape SmartDownload adds pause, resume and auto-restart download capabilities to common web browsers such as Netscape Navigator, Microsoft Internet Explorer and NeoPlanet. It is installed by default with SmartDownload versions of Netscape Communicator, and marketed as an add-on "download manager" for other browsers. It is available for all Win32 platforms (Windows 95/98/Me, NT/2000). All URLs visited by a user are analyzed and parsed by SmartDownload for MIME type and extension to determine if the SmartDownload dialog box should be presented, regardless of whether Smartdownload is enabled. URLs parsed include web pages viewed within the browser (including redirects), web pages within framesets and files spawned to external viewers. Images, embeds and targets of object tags are not parsed by SmartDownload. A bug in the library 'sdph20.dll' used by SmartDownload prevents it from properly parsing URLs greater than 256 characters in length. The parsing code in sdph20.dll reserves 256 characters for an URL on the stack but an unchecked lstrcpy will copy URLs of arbitrary length into that buffer, overwriting several local variables, the return address and other parts of the stack. Analysis of sdph20.dll reveals that the ESI register will always point to a location in memory with a predictable offset from the start of the URL buffer after the parser function returns. This means that shellcode [SmartDownload places some restrictions on the characters permitted in an URL - namely, reserved URL characters such as # : ? and & are clipped or replaced. Additionally, the NULL character and some control characters (ASCII < 32) are rejected outright by some web browsers] within the URL can be reached with a CALL ESI or JMP ESI instruction if a known location containing either of those instructions is inserted in the return address (byte 272). If the overflow is successfully exploited, shellcode will be executed by the victim with the privileges of the currently logged in user. If the victim is using Windows 95, 98 or Me, the shellcode will be run with privileged access to all system resources (local Administrator access). Attacker finds a memory location known to contain a JMP ESI or CALL ESI on the target host. Attacker creates a 1000-byte string designed to overflow the URL parser function in sdph20.dll. The attacker places the ESI jump address at byte 272 of the string, and pads the remainder with equivalent-to-NOP characters such as 0x41 (A). The attacker creates shellcode and places it toward the end of the string. Attacker contructs a malicious webpage containing a redirect to the URL or invisible frame containing the URL and lures victim to the webpage. Attacker-supplied shellcode could, for example, download and install a trojan horse or backdoor program on the victim host. A utility is available that generates a web page that will exploit this vulnerability. The exploit is intentionally crippled. This exploit written by the SecurityFocus staff is of special interest because it is executed transparently and without crashing the browser. A user who had this type of exploit leveraged against them by surfing otherwise innocent seeming web pages would never know they had been attacked and possibly backdoored. There is a popular conception that exploits like this on the client side (in terms of buffer overflows) will crash the broswer and thereby alert the user to unusual activity. This is no longer the case. http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar.gz Solution Netscape has released SmartDownload 1.4, which does not contain this bug. Netscape upgrade SmartDownload 1.4: http://home.netscape.com/download/smartdownload.html