Vendor: Microsoft
Software: Internet Explorer 6.0, 5.5, 5.01
Problem: Memory corruption, code execution
Remote: Yes
Risk Level: Medium to low (hard to exploit)
Authors: Axle (ICQ 755756) bug discovery
3APA3A, http://www.security.nnov.ru/ bug research
Original URL: http://www.security.nnov.ru/Idocument331.html
Details:
Axle (ICQ 755756) found an interesting and hard to catch bug in
InternetCreateUrlW function of wininet.dll. It's hard to find, because
in most cases vulnerable application doesn't crash and it can not be
found with automated code scanner, because it's not typical buffer
overflow, but the bug in program logic. Buffer length is checked, but
because of mistyping in vulnerable code it fails to handle exceptional
conditions. Vulnerable piece of code is located at address 0x771E8E85
(wininet.dll version 6.00.2900.2180).
This part of code should convert hostname from Unicode. Whole process is:
It clearly confirms Microsoft has contract with Intel. Joke. Probably.
If translate to C this code looks like
/* 771E8E85 /
if (stringlen == 0) {/ handle exceptional conditions /}
/ the bug is here. It should be stringlen <= 0 /
else {
…
/ stringlen is -1 on oversized hostname /
buflen = (stringlen)2 + 2 / buflen is 0 /
buf = LocalAlloc(0, buflen); / because LMEM_MOVEABLE is not set LocalAlloc returns
zero size page from heap/
/* 771E8EC1 /
len = WideCharToMultiByte
(0,
0x400,
pointer_to_hostname,
-1 / NULL terminated/,
buf,
buflen /* size of allocated buf /,
NULL,
0);
/ because cbMultiByte is 0 WideCharToMultiByte simply calculates
required length, it's equal to real length of our hostname, it doesn't
change content of memory pointed by buf) */
/* 771E8EC6 */
buf[len] = 0; /* here 0 is written to some unallocated memory and we can
partially control address by the length of our hostname */
…
}
The problem is on oversized hostname, because stringlen is -1, not 0 as
expected. So we have:
Because translated hostname points to empty memory chunk it contains
some garbage. In most cases it's only visible effect (you see garbage in
address bar of Internet Explorer). In rare cases than empty chunk is at
the end of memory page on the heap Internet Explorer crashes.
Example:
<a href='http://<buffer_of_256-300_bytes>/'>TEST (CLICK)</a>
Theoretically, this bug is exploitable, because we can manipulate with
memory chunks allocating, e.g. with Javascript or page redirections. In
practice it's very hard for lazy person.
References:
–
http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
±------------o66o–+ /
|/