SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Browser)  >   Microsoft Internet Explorer (IE) Vendors:   Microsoft
Microsoft Internet Explorer for Mac OS Has Buffer Overflow in Processing the 'file://' URL That Allows Remote Users to Cause Arbitrary Code to Be Executed
SecurityTracker Alert ID:  1004049
SecurityTracker URL:  http://securitytracker.com/id/1004049
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 16 2002
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.1
Description:   A vulnerability has been reported in Microsoft Internet Explorer (IE) for the Mac OS. A remote user can cause another user's IE browser to execute arbitrary code.

It is reported that Internet Explorer for the Mac OS does not properly handle lengthy subdirectories in the 'file://' directive, such as file:///AAAAAA[...] or file://A/A/A/A/[...]. A remote user can create HTML that includes a specially crafted 'file://' URL so that, when loaded by the target (victim) user, will cause arbitrary code to be executed by the target user's browser. The code would run with the privileges of the target user.

A demonstration exploit is provided below. This code will apparently overwrite the saved link register, used for a subroutine's return address on the PowerPC, with the value 0x41424344. According to the report, a remote user can supply up to 1313 characters of malicious code before the saved link register. In addition to the IMG SRC tag, the A HREF tag can apparently also be used.

<html>
<body>
<img src=file:///[1313 characters]%41%42%43%44>
</body>
</html>

A working version of this demonstration exploit is available at:

http://www.w00w00.org/files/advisories/ie_sample.html

w00w00 credits Josha Bronson of Angry Packet Security on this discovery.
Impact:   A remote user can create HTML that, when loaded by the target (victim) user, will cause arbitrary code to be executed by the target user's browser with the privileges of the target user.
Solution:   Microsoft has apparently developed a patch. This patch is reportedly available at:

http://www.apple.com/macosx/upgrade/softwareupdates.html
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   MacOS, UNIX (OS X)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Microsoft Internet Explorer for Mac OS Has Buffer Overflow in Processing the 'file://' URL That Allows Remote Users to Cause Arbitrary Code to Be Executed   (Russ <Russ.Cooper@RC.ON.CA>)
The vendor has issued a fix.


 Source Message Contents
Date:  Tue, 16 Apr 2002 08:22:23 +0400 (MSD)
Subject:  [VulnWatch] w00w00 on Microsoft IE/Office for Mac OS


This is what I'm going to send tonight unless anyone has any last
objections. The site has also been updated.

w00w00 (http://www.w00w00.org)
Angry Packet Security (http://sec.angrypacket.com)

Vulnerability in Multiple Microsoft Products for Mac OS
HTML format: http://www.w00w00.org/advisories/ms_macos.html
Text format: http://www.w00w00.org/files/advisories/ms_macos.txt

SOFTWARE VERSIONS AFFECTED

Microsft Internet Explorer
Versions affected: 5.1
Platforms affected: Mac OS 8, 9, and X

Microsft Outlook Express
Versions affected: 5.0.2
Platforms affected: all Mac OS

Microsft Entourage
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft PowerPoint
Versions affected: 98, 2001, and X
Platforms affected: all Mac OS

Microsft Excel
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft Word
Versions affected: 2001
Platforms affected: all Mac OS

PRELUDE

A bug in Internet Explorer for Mac OS X was originally reported to
Microsoft by Josha Bronson of Angry Packet Security on January 4,
2002. 

Due to some internal mishandling at Microsoft, this was brushed off
until w00w00 informed Microsoft of its intention to release the
information on February 17. We originally gave them a deadline of
two weeks until we discovered that this affected Eudora (the 
Outlook equivalent fo Mac OS ). When Microsoft determined this 
affected most of their Office suite on Mac OS, we felt it was
appropriate to give them time to fix it.

DESCRIPTION

There is a vulnerability in multiple Microsoft products on Mac OS.
The problem lies in the handling of a lengthy subdirectory in the
file:// directive, such as file:///AAAAAA[...] or 
file://A/A/A/A/[...]. The number of subdirectories is trivial as 
long as there is at least one.

IMPLICATIONS

This is another vulnerability with potentially far reaching
consequences. In the case of Entourage, it has the potential for a
worm, with the magnitude depending on how many people actually use
Entourage (Microsoft's Outlook equivalent for Mac OS). In all cases,
writing shellcode to exploit this problem is simply--much more 
simple than shellcode for the AOL Instant Messenger problem we
reported in January. Given that Mac OS X has a Unix interface,
existing PowerPC shellcode that runs /bin/sh will work. No complex 
shellcode is needed to bind to a port or download an application off
the web. The /bin/sh shellcode would need to be changed from an
interactive shell to one that will execute a chain of commands. 
There are enough commands on Mac OS by default to allow an attacker
to download and execute an application off of a web page.  The
downloaded application could do any number of things, such as read
off the user's contact list and send the same email to exploit to
all of the user's contacts.

EXPLOIT

The following HTML file will demonstrate the problem. We chose to
use IMG simply because that is instantly loaded, but an
<A HREF=...> could have been used also. It can also be viewed (in
live form) at http://www.w00w00.org/files/advisories/ie_sample.html.
It overwrites the saved link register which is used for a
subroutine's return address on PowerPC. This will allow remote
execution of arbitrary code. The saved link register is overwritten
by the 0x41424344. This vulnerability will allow up to 1313
characters before the saved link register. Pure binary data
(including NUL bytes) can be used by escaping it (i.e., A as %41).
However, using "%41" will count as three characters, rather than
just one. Note: by character I mean unibyte characters.

<html>
<body>
<img src=file:///[1313 characters]%41%42%43%44>
</body>
</html>

PATCHES

For Internet Explorer, a patch is available from 
http://www.apple.com/macosx/upgrade/softwareupdates.html. For
the other products, the patches can be downloaded from
http://www.microsoft.com/mac/download.

CREDIT

w00w00 would like to thank Angry Packet for involving us in their
efforts to get Microsoft to resolve this problem after their 
attempts failed.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC