Bugtraq mailing list archives

MS IE FTP Folder Shell Extension Buffer Overflow

From: s.hird () STUDENT QUT EDU AU (s.hird () STUDENT QUT EDU AU)
Date: Mon, 9 Aug 1999 08:36:29 -0000


I recently discovered an error in the way the FTP Folder 
shell extension for IE5 handles long folder names. Although 
the full impact is yet unknown, its quite possible there 
could be a similar security risk to the past 'res://' 
issue. To evalute the full risk of the bug, and potential 
to exploit, further investigation is required, and I 
unfortuantly don't have the time or patience to 
debug/dissassemble/trace etc the code, so I am making it 
publicly available for those that do.

The bug/exploit essentially involves passing a long 
directory name to CWD to the FTP Folder extension when 
connected to an existing site. In tests this was possible 
either by simply including it in a HREF, ie, a 
href="ftp://ftp.microsoft.com/%90%90longstring"; /a. It was 
also proved possible to trigger the fault by having long 
directory names on the server itself, and following the 
directories until the buffer overflowed. Actually this is 
how the bug was discovered, by browsing an FTP site where 
someone had attempted to exploit the recent WsFTP bug with 
long directory names. (site not included here) An 
interesting point with triggering the fault this way is 
that the stack dump contains part of the URL in Wide Char 
format, although as stated, it hasn't been fully 
investigated and whether or not this is significant is 
unknown.

As 'FtpWebView' is 'safely scriptable' it may also be 
possible to exploit the bug through ActiveX or other means 
as well, although this hasn't been looked into. I have 
managed to trigger the fault at various addresses.

In SHELL32.DLL v 4.72.3110.6

@7FCE2373

In MSIEFTP.DLL v 5.00.2014.209

@71211EE9
@71215C92
@712121D8
@71215BE6

This last address is interesting, it appears to be code 
which is called when an invalid/not existing directory is 
attempted to CWD to, at this address is the following code;

mov   edx, [eax]
lea   [ebp][0FFFFFA4C]
push  edi
push  ecx
push  eax
call  [edx + C] <-- possible call to code.

and eax seems to be loaded with a seemingly random value 
when the fault occurs. If EAX is somehow controlled, or 
happens to be our magic value, I assume running arbitary 
code is quite possible, as the url is decoded and stored in 
binary format in memory, although I am unsure as CS <> SS, 
and I'm not sure exactly where in memory it is stored. So, 
buffer overflow experts are welcome to investigate this 
further, and please, feel free to send me any comments or 
findings.

Shane.

Current thread:

Cisco 675 password nonsense DeMoNx (Jul 31)
- Re: Cisco 675 password nonsense Brian Elfert (Aug 03)
  - Re: Cisco 675 password nonsense Dave Dittrich (Aug 06)
    - Microsoft Security Bulletin MS99-027 Microsoft Product Security Response Team (Aug 06)
    - Re: Cisco 675 password nonsense Brian Elfert (Aug 06)
    - Microsoft Security Bulletin (MS99-027) Aleph One (Aug 06)
    - Re: Cisco 675 password nonsense Signal 11 (Aug 07)
    - Remote DoS of WebTrends Enterprise Reporting Server rpc (Aug 08)
    - sdtcm_convert Joel Eriksson (Aug 08)
    - NetBSD Security Advisory 1999-011 Ross Harvey (Aug 08)
    - MS IE FTP Folder Shell Extension Buffer Overflow s.hird () STUDENT QUT EDU AU (Aug 09)
    - [jen () ettnet se: sdtcm_convert] Joel Eriksson (Aug 09)
    - Bay Annex-Pri Privacy Issues lumpy (Aug 09)
    - Re: Bay Annex-Pri Privacy Issues Eric Vyncke (Aug 10)
    - Re: Bay Annex-Pri Privacy Issues Dick St.Peters (Aug 11)
- Re: Cisco 675 password nonsense The Tech-Admin Dude (Aug 03)
- <Possible follow-ups>
- Re: Cisco 675 password nonsense Francis Bodie (Aug 03)
- Cisco 675 password nonsense jobe smithe (Aug 09)