[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 97/04 - Two iDefense Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----


- - ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 97/04 dated 01.03.04  Time: 14:40  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- - ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- - ----------------------------------------------------------------------------------

Title
=====
Two iDefense Security Advisories:

1. WinZip MIME Parsing Buffer Overflow Vulnerability.

2. Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass.



Detail
====== 

1. Exploitation of a buffer overflow vulnerability within a parameter parsing routine 
of WinZip Computing Inc.'s WinZip Archive Utility for Windows allows remote attackers to execute arbitrary code.

2. Exploitation of an access validation error within Microsoft Corp.'s Internet Explorer web browser allows remote attackers to bypass the restrictions imposed on cross frame 
scripting.



1.

WinZip MIME Parsing Buffer Overflow Vulnerability

iDEFENSE Security Advisory 02.27.04a: http://www.idefense.com/application/poi/display?id=76&type=vulnerabiliti
es
February 27, 2004

I. BACKGROUND

WinZip is an archiving utility for the Microsoft Windows platform featuring built-in support for CAB files and for popular Internet file formats such as TAR, gzip, UUencode, BinHex, and MIME. ARJ, LZH, and ARC files are supported via external programs. More information is available at http://www.winzip.com.

II. DESCRIPTION

Exploitation of a buffer overflow vulnerability within a parameter parsing routine of WinZip Computing Inc.'s WinZip Archive Utility for Windows allows remote attackers to execute arbitrary code.

The problem specifically exists in the UUDeview package which is used to support various decoding routines. When providing long strings to certain parameters of MIME archives (.mim, .uue, .uu, .b64, .bhx, .hqx and .xxe extensions) WinZip will crash referencing an "internal error in file misc.c line 132". Analysis of the log file created by WinZip upon crash reveals that exploitation is plausible:

    Return address = 0041a923
    Return address = 0044c06c
    Return address = 41414141

Further analysis reveals that WinZip is crashing due to an invalid reference at the following instruction:

    0049c332: mov dword ptr [ecx+08], edi

Both the ecx and edi registers in the above instruction are user controllable allowing an attacker to craft a MIME archive that upon opening will execute arbitrary code.

III. ANALYSIS

Successful exploitation requires that an attacker convince a target user to open a malicious MIME archive. The target user must have a vulnerable version of WinZip installed which by default includes a handler for the one of the vulnerable file types. Example methods of propagation include e-mail, web links and P2P software.

iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in WinZip 8.1 SR-1 (the latest stable version) and the latest beta release of WinZip 9.0. It is suspected that earlier versions are vulnerable as well.

V. WORKAROUND

User awareness is the best method of defense against this class of attack. Users must be wary when opening attachments or following links from untrusted sources.

Removal of the extension handler for vulnerable file types can prevent exploitation from double clicking on what may appear to be a harmless WinZip archive. This can be accomplished by opening Windows Explorer, selecting "Tools", then "Folder Options", selecting the "File Types" tab, scrolling to MIM and deleting the appropriate entry.

VI. VENDOR FIX

This issue has been addressed in WinZip 9.0, available at http://www.winzip.com/.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not yet been assigned.

VIII. DISCLOSURE TIMELINE

January 13, 2004        Vulnerability acquired by iDEFENSE
February 9, 2004        Initial vendor notification
February 9, 2004        Initial vendor response
February 10, 2004       iDEFENSE clients notified
February 27, 2004       Coordinated public disclosure






2.  Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass

iDEFENSE Security Advisory 02.27.04b: http://www.idefense.com/application/poi/display?id=77&type=vulnerabiliti
es
February 27, 2004

I. BACKGROUND

Internet Explorer is a set of core technologies in Microsoft Windows operating systems that provide web browsing functionality. Further information is available at http://www.microsoft.com/ie/.

II. DESCRIPTION

Exploitation of an access validation error within Microsoft Corp.'s Internet Explorer web browser allows remote attackers to bypass the restrictions imposed on cross frame scripting.

The problem specifically exists due to invalid restrictions within the event handling routines of Internet Explorer. According to Microsoft Knowledge Base Article 167796
(http://support.microsoft.com/support/kb/articles/Q167/7/96.asp)
access between frames located on different domains should be restricted. However, it is possible to bypass this restriction by placing malicious JavaScript outside the defined frameset within the parent HTML and forcing the target frameset to maintain focus.

The example below will display the captured keystrokes from the iDEFENSE registration page in the status bar of the frameset.

<html>
<head><title>IE Cross Frame Scripting Restriction Bypass Example</title> <script> var keylog=''; document.onkeypress = function () {
    k = window.event.keyCode;
    window.status = keylog += String.fromCharCode(k) + '[' + k +']'; } </script> </head> <frameset onLoad="this.focus();" onBlur="this.focus();" cols="100%,*"> <frame src="http://www.idefense.com/register.jsp"; scrolling="auto"> </frameset> </html>

Keyboard events appear to be the only events that are leaked across framesets. The malicious JavaScript can monitor all keystrokes typed within the targeted frameset and could be used to transmit the keystrokes to a remote location. Such information leakage could include confidential information such as login credentials and credit card information. The technique does not require an attacker to replicate the functionality of a third party web site as the victim will be interacting with the real site.

III. ANALYSIS

Successful exploitation requires that an attacker convince a user to follow a link allowing for the target site to be contained within a malicious frame. A victim would be alerted to this attack by noticing an incorrect URL in the address bar or improper name on the SSL certificate. Therefore, chances of success can be greatly increased when combining exploitation of this vulnerability with the Internet Explorer URL Canonicalization Vulnerability (MS04-004). Successful exploitation allows an attacker to obtain confidential data, which could lead to further compromise.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Internet Explorer 5 and 6 running on Windows 2000 Professional and Windows XP Professional. Internet Explorer 5 running on Windows 98 is reported not to be vulnerable.

V. WORKAROUND

Website administrators can prevent exploitation of this kind on their own site by ensuring that the site is not encapsulated within a frameset. The following snippet of JavaScript can be utilized to accomplish this:

    if (top != self)
    {
        top.location=self.location;
    }

VI. VENDOR RESPONSE

Microsoft has not categorized this issue as a vulnerability. However, they have stated that a bug will be opened for the issue and the functionality will be changed in a future service pack. Their reasoning for this assessment is provided below.

"We've reviewed this issue and determined that it isn't itself a security vulnerability but could be used in a spoofing scenario.  In this particular spoofing scenario, similar to most spoofing attacks, a user must be enticed into providing personal information without verifying the identity of the Web site collecting the information. Generally, customers can protect themselves from these types of attacks by verifying that the Web sites they are providing information to are the actual Web sites they intend to interact with.  Specifically, to be protected from this spoofing attack, customers should take the following
steps:

 - First, verify that MS04-004 is installed.  This will make certain that customers have the most up-to-date IE.  Moreover, MS04-004 provides a fix that ensures customers can verify which Web sites they are visiting by simply viewing the address bar.

 - Second, and for customers who have not updated their computers with MS04-004, customers can double check the identity or legitimacy of the Web site they are viewing before inputting personal information by double clicking on the yellow padlock icon at the bottom right corner of the screen.  This will reveal the security certificate for the visited Web site and verify its identity.

Customers should review the best practices for safe browsing available at http://www.microsoft.com/security/incident/spoof.asp

And finally, as always, Microsoft recommends that all customers visit and follow the guidance on www.microsoft.com/protect"

iDEFENSE agrees with the technical aspects of the statement made by Microsoft. However, we feel that the issue outlined in this advisory can be exploited in such a way that would make it difficult for an end user mitigate the potential risk through visual inspection of the address bar. Potential avenues of attack include:

- - - Utilizing cybersquatted URLs similar to the target domain
- - - Creating the frameset in a popup window that uses scripting to avoid
  displaying the address bar
- - - Masking the true URL using the Internet Explorer URL Canonicalization
  Vulnerability (MS04-004 -
 
http://www.microsoft.com/technet/technet/security/Bulletin/MS04-004.asp)

The final avenue of attack presents the greatest risk given the fact that a patch for MS04-004 was only recently released (February 2, 2004).

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.

VIII. DISCLOSURE TIMELINE

February 4, 2004    Vulnerability acquired by iDEFENSE
February 10 2004    Initial vendor notification
February 10 2004    Initial vendor response
February 11, 2004   iDEFENSE clients notified
February 27, 2004   Public disclosure





For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- - ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of iDEFENSE for the information 
contained in this Briefing. 
- - ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- - ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQERNeopao72zK539AQHjeAP8DxkVlLiFT7w8/1Ju12XQCz1BjJaRncl7
aV9IXvbNVmZI3Srmeol9wFY2n8q1bSbQvhwRfXE3E24iV8TYxIpilyq9QyfsqmdA
+5G6HZS0geV3g5CPv4DIj3BQqKki4wZKpzCsRCw0oAp7zHacBWC3M/akpqVKTE3R
geYE+IWG3ZU=
=GwK4
-----END PGP SIGNATURE-----