Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Buffer Overrun In HTML Converter Could Allow Code Execution

Attack ID: CPAI-2003-25
Publish Date:
Category: Remote code execution
Vulnerable Systems: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Me
Microsoft Windows NT 4.0 Server
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Source: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0469
Description: A specially crafted <HR> HTML tag may cause the HTML converter on Windows operating systems to crash and possibly execute arbitrary code.
Severity:
  A successful exploit may lead to arbitrary code running on the user's machine with the user's privileges.
Details: A crafted <HR> HTML tag, with a long 'align' argument may cause the Windows HTML converter (HTML32.cnv) to crash and run arbitrary code.

An exploit may be using a script action within Internet Explorer causing the malformed HTML to be pasted into the clipboard, and then converted using the vulnerable converter.

It may be also exploited via HTML based emails.
Attack Detection:
Solution:
  1. Use FireWall-1 HTTP Security Server to strip SCRIPT tags from HTTP
    1. Define a HTTP (URI) resource that blocks scripts tags
    2. In the URI resource -> Action tab, check 'Strip SCRIPT Tags' from the available HTML weeding options
    3. The rule looks like the following:
      • SRC=Surfers_LAN, DST=ANY, Service=Resourced HTTP (URI), Action=Accept and log.
  2. In a similar manner, since this attack might be exploited via HTML based emails, it is recommended to block HTML content as well as HTML attachments via the SMTP server
    1. Define a SMTP resource that blocks HTML MIME
    2. In the SMTP resource -> Action2 tab, in the 'Strip MIME of type' write: '{message/partial, text/html, text/webviewhtml}'.
    3. In the SMTP resource -> Action2 tab, in the 'Strip file by name' write: '{*.htm, *.html, *.htt, *.stm, *.xsl}'
    4. The rule looks like the following:
      • SRC=Any, DST=Incoming SMTP Servers, Service=Resourced SMTP, Action=Accept and log
Industry Reference:
Additional Information:

Microsoft Advisory (includes a patch for all vulnerable operating systems)
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-023.asp

CERT Advisory
http://www.cert.org/advisories/CA-2003-14.html