Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4457
HistoryApr 28, 2003 - 12:00 a.m.

Buffer overflow in Internet Explorer's HTTP parsing code

2003-04-2800:00:00
vulners.com
10
JSON

OVERVIEW

The code used in Microsoft Internet Explorer to parse web servers' HTTP
replies contains a buffer overflow vulnerability. Specifically the faulty
code is located in URLMON.DLL. A malicious user may exploit this
vulnerability to execute arbitrary code on an IE user's system.

DETAILS

HTTP is the protocol used in communication between web servers and web
browsers. When a web page is viewed, the browser sends a HTTP request to
the server in question. The server then sends a HTTP reply which usually
contains the web page the browser requested. In addition to the
document body which is shown to the user, the HTTP reply contains some
header fields which e.g. specify how the document should be presented to
the user.

Due to missing or insufficient input validation, a buffer overflow
takes place in Internet Explorer when it receives a HTTP reply
with excessively long values in certain header fields. A buffer placed
on stack gets overrun and a malicious reply may overwrite data,
including the subroutine's return address, and thus direct the program
execution to an arbitrary address. The vulnerability is a traditional
stack-based buffer overflow and relatively easy to exploit.

This vulnerability can be used by an attacker to run any code in the
system of the victim viewing a special web page with Internet Explorer or
reading mail with Outlook or Outlook Express. More details will be
published later.

SOLUTION

The vendor was informed about the bug on March 16, 2003. Microsoft has
classified this vulnerability as critical and published a bulletin
and patch correcting the issue. These are available at

http://www.microsoft.com/technet/security/bulletin/MS03-015.asp

The information in the "Mitigating factors" section of Microsoft's
bulletin claiming that this vulnerability isn't exploitable by e-mail
borne attacks is incorrect. Test exploits have been produced for
WWW, Outlook, and Outlook Express attack scenarios. In each of the
cases, the exploit code runs without further user interaction on the
victim system. Furthermore, no e-mail attachments or any kind of
scripting are needed since the attack can be carried out via a standard
HTML. In fact merely starting the e-mail program can lead to exploitation
because (depending on configuration) it may automatically open the first
new message.

CREDITS

The vulnerability was discovered by Jouko PynnΓΆnen of Oy Online Solutions
Ltd, Finland. It was demonstrated on 25th April at Kontakti.net's
"Tekninen Tietoturva" seminar in Helsinki.

–
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
[email protected] http://www.solutions.fi http://www.secmod.com

JSON