Bugtraq mailing list archives
MS IE FTP Folder Shell Extension Buffer Overflow
From: s.hird () STUDENT QUT EDU AU (s.hird () STUDENT QUT EDU AU)
Date: Mon, 9 Aug 1999 08:36:29 -0000
I recently discovered an error in the way the FTP Folder shell extension for IE5 handles long folder names. Although the full impact is yet unknown, its quite possible there could be a similar security risk to the past 'res://' issue. To evalute the full risk of the bug, and potential to exploit, further investigation is required, and I unfortuantly don't have the time or patience to debug/dissassemble/trace etc the code, so I am making it publicly available for those that do. The bug/exploit essentially involves passing a long directory name to CWD to the FTP Folder extension when connected to an existing site. In tests this was possible either by simply including it in a HREF, ie, a href="ftp://ftp.microsoft.com/%90%90longstring" /a. It was also proved possible to trigger the fault by having long directory names on the server itself, and following the directories until the buffer overflowed. Actually this is how the bug was discovered, by browsing an FTP site where someone had attempted to exploit the recent WsFTP bug with long directory names. (site not included here) An interesting point with triggering the fault this way is that the stack dump contains part of the URL in Wide Char format, although as stated, it hasn't been fully investigated and whether or not this is significant is unknown. As 'FtpWebView' is 'safely scriptable' it may also be possible to exploit the bug through ActiveX or other means as well, although this hasn't been looked into. I have managed to trigger the fault at various addresses. In SHELL32.DLL v 4.72.3110.6 @7FCE2373 In MSIEFTP.DLL v 5.00.2014.209 @71211EE9 @71215C92 @712121D8 @71215BE6 This last address is interesting, it appears to be code which is called when an invalid/not existing directory is attempted to CWD to, at this address is the following code; mov edx, [eax] lea [ebp][0FFFFFA4C] push edi push ecx push eax call [edx + C] <-- possible call to code. and eax seems to be loaded with a seemingly random value when the fault occurs. If EAX is somehow controlled, or happens to be our magic value, I assume running arbitary code is quite possible, as the url is decoded and stored in binary format in memory, although I am unsure as CS <> SS, and I'm not sure exactly where in memory it is stored. So, buffer overflow experts are welcome to investigate this further, and please, feel free to send me any comments or findings. Shane.
Current thread:
- Cisco 675 password nonsense DeMoNx (Jul 31)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 03)
- Re: Cisco 675 password nonsense Dave Dittrich (Aug 06)
- Microsoft Security Bulletin MS99-027 Microsoft Product Security Response Team (Aug 06)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 06)
- Microsoft Security Bulletin (MS99-027) Aleph One (Aug 06)
- Re: Cisco 675 password nonsense Signal 11 (Aug 07)
- Remote DoS of WebTrends Enterprise Reporting Server rpc (Aug 08)
- sdtcm_convert Joel Eriksson (Aug 08)
- NetBSD Security Advisory 1999-011 Ross Harvey (Aug 08)
- MS IE FTP Folder Shell Extension Buffer Overflow s.hird () STUDENT QUT EDU AU (Aug 09)
- [jen () ettnet se: sdtcm_convert] Joel Eriksson (Aug 09)
- Bay Annex-Pri Privacy Issues lumpy (Aug 09)
- Re: Bay Annex-Pri Privacy Issues Eric Vyncke (Aug 10)
- Re: Bay Annex-Pri Privacy Issues Dick St.Peters (Aug 11)
- Re: Cisco 675 password nonsense Dave Dittrich (Aug 06)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 03)
- <Possible follow-ups>
- Re: Cisco 675 password nonsense Francis Bodie (Aug 03)
- Cisco 675 password nonsense jobe smithe (Aug 09)