Results 1 to 2 of 2

Thread: Buffer overflow in Internet Explorer's HTTP parsing code

  1. #1
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002

    Buffer overflow in Internet Explorer's HTTP parsing code

    Buffer overflow in Internet Explorer's HTTP parsing code

    The code used in Microsoft Internet Explorer to parse web servers' HTTP
    replies contains a buffer overflow vulnerability. Specifically the faulty
    code is located in URLMON.DLL. A malicious user may exploit this
    vulnerability to execute arbitrary code on an IE user's system.


    HTTP is the protocol used in communication between web servers and web
    browsers. When a web page is viewed, the browser sends a HTTP request to
    the server in question. The server then sends a HTTP reply which usually
    contains the web page the browser requested. In addition to the
    document body which is shown to the user, the HTTP reply contains some
    header fields which e.g. specify how the document should be presented to
    the user.

    Due to missing or insufficient input validation, a buffer overflow
    takes place in Internet Explorer when it receives a HTTP reply
    with excessively long values in certain header fields. A buffer placed
    on stack gets overrun and a malicious reply may overwrite data,
    including the subroutine's return address, and thus direct the program
    execution to an arbitrary address. The vulnerability is a traditional
    stack-based buffer overflow and relatively easy to exploit.

    This vulnerability can be used by an attacker to run any code in the
    system of the victim viewing a special web page with Internet Explorer or
    reading mail with Outlook or Outlook Express. More details will be
    published later.


    The vendor was informed about the bug on March 16, 2003. Microsoft has
    classified this vulnerability as critical and published a bulletin
    and patch correcting the issue. These are available at


    The information in the "Mitigating factors" section of Microsoft's
    bulletin claiming that this vulnerability isn't exploitable by e-mail
    borne attacks is incorrect. Test exploits have been produced for
    WWW, Outlook, and Outlook Express attack scenarios. In each of the
    cases, the exploit code runs without further user interaction on the
    victim system. Furthermore, no e-mail attachments or any kind of
    scripting are needed since the attack can be carried out via a standard
    HTML. In fact merely starting the e-mail program can lead to exploitation
    because (depending on configuration) it may automatically open the first
    new message.


    The vulnerability was discovered by Jouko Pynnönen of Oy Online Solutions
    Ltd, Finland. It was demonstrated on 25th April at Kontakti.net's
    "Tekninen Tietoturva" seminar in Helsinki.

    Jouko Pynnonen Online Solutions Ltd Secure your Linux -
    jouko@solutions.fi http://www.solutions.fi http://www.secmod.com
    yeah, I\'m gonna need that by friday...

  2. #2
    Join Date
    Mar 2003
    As this buffer overflow afects IE, other programs than Outlock and Explorer can be used to exploit the fault.

    By example Windows Media Player, Real Audio. This programs have now the plugin to browse the internet using IE. So a specialy designed site can use the Media Players to exploit the fault. Using addesses like www.cnn.com@my_evil_site.com/fake_news.html


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts