Subject: URLMON.DLL buffer overflow - technical details

OVERVIEW
========

Following are some technical details of the URLMON.DLL buffer overflow.
An overall description can be found in this Bugtraq message:

 http://www.securityfocus.com/archive/1/319764

Microsoft released a patch to fix this issue in April (MS03-15). It can
be found here:

 http://www.microsoft.com/technet/security/bulletin/MS03-15.asp

DETAILS
=======

The buffer overflow happens when a program using the vulnerable DLL
(Internet Explorer, Outlook, possibly others) receives an HTTP reply
which has excessively long values in both "Content-type" and
"Content-encoding" fields.

By exploiting this vulnerability, an attacker can run arbitrary code on
a victim's computer when a malicious web page or an HTML mail message
is viewed. Starting up Outlook may be enough to trigger the exploit,
since the program may open a preview of the first new message on
startup.

No scripting, ActiveX, or even an IFRAME is needed - an IMG tag is
enough. For this reason Security Zone settings don't have effect on
this flaw. For some reason an IMG tag seems to be in fact required in
order to produce an exploitable buffer overflow. If the malicious HTTP
reply comes with a normal HTML document, Internet Explorer hangs or
just exits without any comment.

If the requirements are met (both header fields containing correctly  
sized values, IMG tag used), the issue reduces to a trivial stack-based
buffer overflow. The return address is overwritten by the
"Content-encoding" value. An appropriate length for the values seems to
be about 300 bytes.

To reproduce the buffer overflow, these files can be used:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
#!/usr/bin/perl
#
# Name this file as "urlmon-bo.cgi"
#
$LONG="A"x300;
print "Content-type: $LONG\r\n";
print "Content-encoding: $LONG\r\n";
print "\r\n";
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -
<html>
<body>
<img src="urlmon-bo.cgi">
</body>
</html>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - >8- -

If you view the HTML file with Internet Explorer on a vulnerable
system, the program will crash with EIP=0x41414141 (this at least
happened on various test systems). The actual exploit is left as an
excercise.

CREDITS
=======

The vulnerability was found and researched by Jouko Pynnönen
<jouko@iki.fi>. The original report (as well as some of my other
work) can be seen at my ex-employer's website:

 http://www.solutions.fi/index.cgi/news_2003_04_28?lang=eng

An exploit for this flaw was demonstrated at Kontakti.net's "Tekninen
Tietoturva" seminar in Helsinki, April 2003.

Greets to: Minttu, Esa Etelävuori, Andreas Sandblad, Georgi Guninski,  
Solar Designer, DJ28.

--
Jouko Pynnonen          http://iki.fi/jouko/
jouko@iki.fi