Overview
Following are some technical details of the URLMON.DLL buffer overflow. An overall description can be found in this Bugtraq message:
http://www.securityfocus.com/archive/1/319764.
Microsoft released a patch to fix this issue in April (MS03-15). It can be found here: http://www.microsoft.com/technet/security/bulletin/MS03-15.asp.
Details
The buffer overflow happens when a program using the vulnerable DLL (Internet Explorer, Outlook, possibly others) receives an HTTP reply which has excessively long values in both “Content-type” and “Content-encoding” fields.
By exploiting this vulnerability, an attacker can run arbitrary code on a victim’s computer when a malicious web page or an HTML mail message is viewed. Starting up Outlook may be enough to trigger the exploit, since the program may open a preview of the first new message on startup.
No scripting, ActiveX, or even an IFRAME is needed – an IMG tag is enough. For this reason Security Zone settings don’t have effect on this flaw. For some reason an IMG tag seems to be in fact required in order to produce an exploitable buffer overflow. If the malicious HTTP reply comes with a normal HTML document, Internet Explorer hangs or just exits without any comment.
If the requirements are met (both header fields containing correctly sized values, IMG tag used), the issue reduces to a trivial stack-based buffer overflow. The return address is overwritten by the “Content-encoding” value. An appropriate length for the values seems to be about 300 bytes. To reproduce the buffer overflow, these files can be used:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - #!/usr/bin/perl # # Name this file as "urlmon-bo.cgi" # $LONG="A"x300; print "Content-type: $LONG\r\n"; print "Content-encoding: $LONG\r\n"; print "\r\n"; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- - <html> <body> <img src="urlmon-bo.cgi"> </body> </html> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
If you view the HTML file with Internet Explorer on a vulnerable system, the program will crash with EIP=0x41414141 (this at least happened on various test systems). The actual exploit is left as an excercise.
Credits
The vulnerability was found and researched by Jouko Pynnönen, Klikki Oy (jouko@iki.fi).
An exploit for this flaw was demonstrated at Kontakti.net’s “Tekninen Tietoturva” seminar in Helsinki, April 2003.