|
Brought to you by:
Suppliers of:
|
|
|
| |
When thinking about buffer overflow vulnerabilities, a file can sometimes be as harmful as a packet. Even though past security issues have taught us that it is unwise to use a string from a file/packet without first checking its length, this is what happened here.
HyperTerminal will save sessions as files with the extension of .ht that will contain the connection info for the current session. It is then possible to have the connection restarted by loading or executing the saved session file. Through the creation of a corrupt .ht file, it is possible to gain control of EIP and execute arbitrary code. |
| |
Credit:
The information has been provided by Brett Moore.
|
| |
It appears that a section of the heap, that is overwritten with the corrupt file, contains a lookup table that is later used through a CALL [ECX+374] instruction.
This allows for exploitation even on systems like XP SP2, as the stack/heap protection does not come into play.
Basic exploitation can be achieved through sending the target user the corrupt file. Once the file is opened, and HyperTerminal is closed any arbitrary code will be executed.
Remote exploitation through Internet Explorer can be obtained through the use of an iframe or other similar object to open a file from a public UNC share or through a 'coupled' browser exploit that saves the file to a known location before opening it. If HyperTerminal is the current default telnet handler, Internet Explorer will automatically open the corrupt file, leading to exploitation.
There did appear to be some URL manipulation that caused the \ character to be altered, preventing the use of the UNC share, but this filtering could be prevented by the use of another valid URL character.
Solutions:
- Install the vendor supplied patch available from: http://www.microsoft.com/technet/security/bulletin/MS04-043.mspx
- Remove the HyperTerminal application.
|
|
|
|
|
