Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
There apparently is already a fix for this one installed on many machines. It's called IE6.
Do not mod parent down. He's pointing out text found in the article link. That is not flamebait.
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS
For example, in win2k/private/inet/mshtml/src/site/download/imgbm
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
Well it's not really the image file running the commands. It's the browser that is loading the image. The browser reads bad image data and gets overwritten.
It's no hoax.
Smells like you shoud read some documentation on buffer overflow techinques. Of course image files cannot run commands, but you can do some nice tricks if the program that is loading the file fails to check where the data is loaded. If the data is bigger than the allocated space, you can garble the stack in some funny way and actually craft a picture that gets to be executed (in some parts at least). Of course, doing something other that crashing the process is NOT easy, but...
That wouldn't work in this case. Overflowing a signed integer so that it wraps around to negative won't be picked up by checking if the value is greater. Using the correct datatype (unsigned int) would have been better.
(in fact, looking at the code snipped in the vulnerability notification, they do check against Offset > size of buffer)
"When I grow up, I want to be a weirdo"
a)The jpeg virus "hoax" was down to IE interpretting a jpeg as a VBS file. That's perfectly normal - if you name a shell script "harmless_image.jpeg", provided the shell sees the #!/usr/bin/shell line, then it's going to see a script and execute it as such.
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
The guy sent mail to securityfocus telling them that there was a hole in windows, he did not spread any virus or use this code malisously. SecurityFocus then published this info, if anyone SecurityFocus is the most liable, though I don't believe either should be.
IIRC early Apple computers actualy had a memory location called "MonkeyLives" or something like that, which was used for a program they called the monkey. The monkey program randomly entered commands and clicks and such for as long as the program was running. The problem was, sometimes it would shutdown the computer (by executing a shutdown, not by crashing it) so they created a memory location that when shutdown was called, it first checked that location to see if the monkey program was running, and would cancel the shutdown if it was.
T Money
World Domination with a plastic spoon since 1984
On the off-chance that you aren't kidding, that is how Freenet works - it creates a HTTP server on your computer and you use your web browser to talk to it.
- Somebody,
- please, monitor this bug (or teach me how to monitor it)
Use this linkThen use this one.
-- @rjamestaylor on Ello
to send them a patch for it before they release one :)
if i had the time to fetch copy of the code, i'll do it myself...
There's a lot of fakes floating around, but if you want the source here's the one for w2k.
8 20 7|34BB9F3A3E8D3E0C4490A96EC30B9F3C|/
31,000 files of exploitable goodness!
ed2k://|file|windows_2000_source_code.zip|21374
Windows OTOH is a 6 month turnaround or more and your controlled by an entity whos decisions are based around profitability. If its more profitable to keep an exploit open on a O/S and get some nice contracts with some Anti-Virus companies for another couple months, then thats cool - unfortunately for the luser - this is a no win situation, and they have absolutely NO control over their computer.
Not to mention the risk admins take when applying patches, which can disable apps or change bug behaviors that critical apps wrongfully rely on. Not to mention either that historically service packs have not been 100% reliable to boot.
The sad thing is, you can be a perfectly good, clued person stuck with admining critical functions on M$ boxes (that you inherited based on decisions you had no influence over), and let patches sit for weeks or months waiting for others to try them out. Security patches included, since M$ is so spaghetti that one security fix can break or alter behavior in other areas nearly nondeterministically. Luckily, I've never had to worry personally about a windows box for my job security: in the cases I may have had to do so I've been able to build lower-cost and higher-function/reliability OSS solutions and sleep soundly at night.
There's a reason why they're called 'Suicide Packs' by those poor souls whose jobs rely on M$ stability and security...
Besides giving you a more secure feeling, Opera's features will show you that IE is an uninspired lump.
Come on, who keeps modding this stuff as insightful? It's been beaten to death. Personally I don't agree with the conspiracy theory but that's irrelevant. This was mentioned many times in the first article
8 186 6 149 7 608 6 723 2 805
1 595 0 866 0 862
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
http://slashdot.org/comments.pl?sid=96614&cid=826
and the follow-up article
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
http://slashdot.org/comments.pl?sid=96732&cid=827
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
You can read all the details on Monkey Lives here.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Here's the comment link.
Here's a nice supporting example for you: One of my buddies brought up a machine, got a DHCP response from the wrong place, and got railroaded to some site that looked like it was selling knives, instead of windows update. Turned out it was a page with a DSO exploit in it, and he got owned, had to reinstall the box. (And go track down the bozo advertising bad DNS in his DHCP.) It was ye olde DSO exploit. So someone installing (for whatever reason) something with IE5 can be taken over quite ruthlessly, especially since all you need do is show them an image.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Go to the link to the article and search for "BMP". You'll find it.
Well, the first google search result for '"redhat 7.3" security update' yields: this link where a security bug in 7.3 is patched. That bug fix was released less than 15 days ago, so it seems like it still gets support.
I appears to come from the Fedora team.
It doesn't hurt to be nice.
Fair enough. In the future, how about a link to the comment like this?
You should use AdiumX on your Mac.
You could always check out the google Zeitgeist.
:)
http://www.google.com/press/zeitgeist.html
Down in the middle of the page, it shows a graph that depicts MSIE 6.0 to be the dominant browser in nice clear red ink.
$ grep -ir " don't care " linux-2.6.2/ | wc -l 169 Had to try it, though it does not telle us anything about how weell written the code is.... does it?
Actually, 5.5 appears to be vulnerable. I loaded the BMP and BOOM! it crashed.
I see lots of posts here from people saying "Just upgrade to IE6.1. The problem is that there are lots of people out there that can't or won't.
(1) There folks still running Win95 that are stuck. They've got an old Pentium 166, and have no legitimate way to upgrade to Win98. Have you see upgrade copies available in the last couple of years? Sure they can find a copy on ebay, but lots of these folks would never think of that.
(2) There are folks with Dial-up who didn't want to tie up their phone lines downloading the beast. These folks should definately do it now, but they haven't had a really compelling reason.
(3) They may not know how. "Windows Update, what's that?"
I do lots of work for clueless users, and trust me, their are PLENTY of IE5 boxes out there.
Mark
------- Mark
http://www.cs.berkeley.edu/%7Eushankar/research/pe rcents/index.html
I don't know why everyone is raving so much about the windows 2000 code. The NT4 code that leaked is much more interesting, containing a lot of the networking and security code that the 2000 leak misses out.
.zip|241131483|7a8b8624a5014a3f2c586c813568be09|
ed2k://|file|windows_nt_4_source_code .zip|241131483|afcb4b1fd05ed574e2ee77618222621d|
.rar|1357906140|dba2a19a3c822837ad6ade3b7f178862|
A couple of links are here:
ed2k://|file|windows_nt_4_source_code
I have downloaded the first one. It contained a minor bit of corruption in the zip file. The second one may be more pure, but I don't know as I'm only 90% complete with that.
Though I have to say, the bugcodes.txt file in the windows 2000 archive was a fascinating read.
Also, I hear rumours that there is a longhorn source code leak out there. I noticed it was available on overnet, but with no sources available to me, I couldn't download any of it to check. Can anyone confirm?
ed2k://|file|windows longhorn build 4008 source code (partial)
I am still using Redhat 5. have custom software written by people who are no longer here and when it was upgraded to 7.3 it broke so I am still running 5.0 until we have the resorces to fix teh software.
I recommend reading Smashing the stack for fun and profit.
It's very informative.
Try this for a start.
Sorry about the busted links.
Click here for the Google Zeitgeist.
Click here just for the graph.
Unlike Linux which was born in the open and relies on inherently good code for security, MS went with the fallicy: security through obscurity. When I studied cryptography in university, I remember being told by many profs: "if your security relies heavily on people not figuring out the method, you get an F". Before RSA commercialized, the Americans and Russians used it for security --using the product of two large prime numbers as an exponent in a function that can encrypt/decrypt a message. The Americans know the Russians use it, and the Russians know the Americans use it. The method isn't a secret, the security lies in the difficulty of factoring large prime numbers. And (as one of my crypto texts explained) "If someone tried to create a database of all primes 512 bits or less in length, you couldn't do it, for if you could create a hard drive that could store 1 gigabyte of data on 1 gram, the list of primes (there are 10^151 of them) would require a hard drive whose weight would exceed the Chandrasekhar limit and collapse into a black hole (and unless you come up with a unique way of getting the data past the event horizon), you are hooped. Relying on the 5 year old 'I've got a secret' method of security works really well if you're 5 years old. A survey of 5 year olds agree "Security through obscurity works". 6 year olds weren't so sure. 10 year olds refuted the study. Microsoft was unavailable for comment.
Win NT 4.0 Source:a sh=66a26447f563c3dc2336de74ae37dc14d11dd8b9
a sh=f03fc1e04869294d5644d3c8c5d0fb8f2d26aa59
http://torrent.spyderlake.com/download.php?info_h
Win 2000 Source:
http://torrent.spyderlake.com/download.php?info_h
Perhaps if some of Microsoft's code finds its way into Linux (accidently), then Microsoft can sue the living daylights out of opensource? They have the financial resources to do so. Imagine, the next killer app for linux: Windows NT (code). It just may legally "kill" Linux in the same was SCO would like to. What can be done to ensure that this code is kept out of opensource projects? That would be a mess.
I would (and do) use the Fedora legacy project.
1.8 Internet Explorer Is Updated with the Service Pack Microsoft Internet Explorer (IE) version 5.01 is now updated only when you install a Windows 2000 service pack, in accordance with the Microsoft support strategy. Windows 2000 SP3 includes all of the fixes released in IE 5.01 with Service Pack 2, plus additional security and functionality fixes that apply to IE and Microsoft Outlook(R) Express version 5.01. For more information about these fixes, see article Q320853, "List of Bugs Fixed in Windows 2000 Service Pack 3," in the Microsoft Knowledge Base.
-- Argel
Please read the original post I was responding to, which states:
I'm not going to respond to each response with the same message, so here it is:
The IE situation is the worst. You probably have no choice but to upgrade. In this case you can probably download IE 6 for free, but for other exploits you may have to pay for a newer version of Windows. Hear me, it's the worst.
The open source situation is better. You at least have the source, and at the worst case can go patch it yourself or pay somebody to patch it. Some investment in time or money can enable you to stay with an older version to avoid upgrading.
However, open source doesn't solve all the problems. If there's no volunteer to keep an old version patched, then there's some cost on your part if you don't want to upgrade. Upgrading, on the other hand, contains some risks (which may translate to cost as well). For one, the new features may contain new exploits.
Which is why I wrote that insisting on running Red Hat 5.0 may be expensive, even though it's open source. It's entirely possible (which is good, and better than IE or Windows), because you have source, but it may not be viable, despite having the source.
Somebody brought up Debian. Yes, Debian maintains an excellent stable distribution. However, not even Debian volunteers patch every old version. At some point, "testing" becomes "stable" and the old "stable" will be left to rot. If you insist on running the old one, then your personal TCO will increase significantly.
And now the obvious conclusion: not even open source can make not upgrading a viable option forever. At some point (obviously at different points for Windows compared to Red Hat Linux) it's cheaper to upgrade. That's all I'm saying.
This is completely off topic from the parent post. But THE LINKED ARTICLE CONTAINS SOURCE CODE FOR WINDOWS.
The Slashdot editors should remove the link immediately. Its really dangerous to have on the front page of this site.
if the code was open from the start, how long would this flaw have lasted?
Umm, probably about as long as the flaws in sendmail and bind?
Open source is not a panacea, those two packages alone have accounted for more Internet carnage than any bug in an MS product. And they were open source, full of bugs, and no-one fixed them.
See, this "many eyes" argument only works if many eyes are looking at the code, whereas in practice everyone assumes that everyone else is, so they don't need to worry about it.
It is also worth noting that the source of the leak was traced to a Linux box at a company called MainSoft, who licensed the code to write their cross-platform toolkit MainWin.