Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Block OBJECT tag buffer overflow in MS Internet Explorer

Attack ID: CPAI-2003-20
Publish Date:
Category: Remote Code Execution
Vulnerable Systems: Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0
Microsoft Internet Explorer 6.0 for Windows Server 2003
Source: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0344
Description: A buffer overflow in MS Internet Explorer due to a failure to correctly perform a buffer space check in the 'Type' property of a specially crafted OBJECT tag may allow remote attacker to run arbitrary code on a user's machine.
Severity:
  Successful exploit leads to arbitrary code running on the user's machine, with his privileges.
Details:

The 'Type' property of the OBJECT tag, which is used to insert object (ActiveX objects, for example) into HTML pages, is vulnerable to buffer overflow. This exploit can lead to stack-based overflow, which may allow a remote attack to run his code on the user's machine, with the user's permissions.

Although the 'Type' property does contain a buffer check, due to the conversion of the character '/' into '_/_' (3 characters), which is performed after the string length check, a specially crafted 'Type' property can lead to a buffer overflow. For example:

<object type="[/x64]AAAAAAAAAAAAAAAA">Cooler Than Centra Spike</object>
Attack Detection: Using the SmartView Tracker, identify either HTTP logs with "reason: Content Security - access denied" or SMTP logs with "reason: mail has been stripped" in the information field in addition to other connection parameters.
Solution:

Until all Microsoft vulnerable Internet Explorer browsers are updated with the latest recommended patches, security administrators should use the HTTP and SMTP Security Servers in order to strip ActiveX tags that can be accessed by users by the browser or read by HTML based emails.

Stripping ActiveX using the HTTP Security Server:

Define an HTTP (URI) resource that blocks ActiveX tags

The rule looks like the following:

SRC=Surfers_LAN, DST=ANY, Service=Resourced HTTP (URI), Action=Accept and log.

In the URI resource -> Action tab, check 'Strip ActiveX Tags' from the available HTML weeding options.

In a similar manner, since this attack might be exploited via HTML based emails, it is recommended to block ActiveX content via the SMTP server.

Stripping ActiveX using the SMTP Security Server:

Define an SMTP resource that blocks ActiveX tags.

The rule looks like the following:

SRC=Any, DST=Incoming SMTP Servers, Service=Resourced SMTP, Action=Accept and log.

In the SMTP resource -> Action2 tab, check 'Strip ActiveX Tags' from the available Weeding options.

The complete resource definition is based on the network topology and security policy.
Industry Reference:
Additional Information:

http://www.eeye.com/html/Research/Advisories/AD20030604.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0344

Microsoft information:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-020.asp