NGSSoftware Insight Security Research Advisory

Name: Microsoft Internet Explorer Install Engine Control Buffer Overflow
Systems Affected: Microsoft Internet Explorer 5.x/6.x
Severity: High
Vendor URL: http://www.microsoft.com/
Author: Peter Winter-Smith [ peter@ngssoftware.com ]
Date of Public Advisory: 19th January 2004
Advisory number: #NISR19012005a
Advisory URL: http://www.ngssoftware.com/advisories/msinsengfull.txt
Reference: http://www.ngssoftware.com/advisories/msinsengdll.txt

Description
***********

All versions of Microsoft Windows, with Microsoft Internet Explorer, come
packaged with the Microsoft Active Setup/Install Engine components. These
components are marked as safe for scripting and can be invoked by default
from any basic web-page.

The Install Engine control has been found to be vulnerable to an integer
overflow, leading to a heap based buffer overflow which could allow an
attacker to run arbitrary code on a vulnerable system through a specially
crafted web-page or through a specially crafted HTML email if scripting is
enabled.

Details
*******

When calling the SetCifFile() method provided by the Active Setup Controls
ActiveX component 'asctrls.ocx', if the first parameter (the '.cab' file
name) is a string of a length in excess of about 2kb, an integer overflow
occurs when attempting to calculate the buffer space allowed for copying
the base url.

The vulnerable code path will only be executed if the 'BaseURL' property
has previously been set. The value stored as this property is the first
string which can be made to overflow the heap.

After the base url is copied into the buffer, the string which we have
provided as the cab file name is concatenated onto the end of our buffer
without any length checking, making it the second string which can
overflow the heap.

The vulnerable code is located within the Install Engine Control module
('inseng.dll') which is provided with the Active Setup Controls component,
both of which can be found in the 'System32' folder in the Windows
directory.

The vulnerable code can be seen below:

MOV EBX,DWORD PTR DS:[<&KERNEL32.lstrcpynA>]     ;  kernel32.lstrcpynA()

    ...

PUSH DWORD PTR SS:[EBP+C]                ; /String = Cab file name
AND BYTE PTR DS:[ESI],0                  ; |
CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA()

MOV ECX,822        ; Max buffer size
SUB ECX,EAX        ; Calculate remaining buffer space - integer overflow!

PUSH ECX                  ; /n = Unchecked value - remaining buffer space!
PUSH DWORD PTR SS:[EBP-8] ; |String2 = BaseURL property value
PUSH ESI                  ; |String1 = 0x822 bytes heap buffer
CALL EBX                  ; \lstrcpynA()

MOV EDI,DWORD PTR DS:[<&KERNEL32.lstrcatA>] ;    kernel32.lstrcatA()
PUSH inseng.66561C84         ; /StringToAdd = "/"
PUSH ESI                     ; |ConcatString = Our heap buffer
CALL EDI                     ; \lstrcatA()

PUSH DWORD PTR SS:[EBP+C]    ; /StringToAdd = Our Cab file name
PUSH ESI                     ; |ConcatString = Our heap buffer
CALL EDI                     ; \lstrcatA()

Fix Information
***************

Microsoft have released an update for Microsoft Internet Explorer which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

A check for this vulnerability has been added to Typhon III, NGSSoftware's
advanced vulnerability assessment scanner. For more information please
visit the NGSSoftware website at http://www.ngssoftware.com/


About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware
have offices in the South of London and the East Coast of Scotland.
NGSSoftware's sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@ngssoftware.com