Slashdot Mirror
Exploit Based On Leaked Windows Code Released
mischief writes "A post to Bugtraq from SecurityTracker.com reports an Internet Explorer 5 exploit that has been released based on the Win2K code leak: 'It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.' Only affects IE 5 apparently, but still - it didn't take long!"
Oops... we just gave MS a chance to say keeping the source secret keeps flaws like this secret as well. :)
More proof that code who's source is open is less secure!
(trigger-fingered mods : thats a joke)
to fix it...
"/Dread"
Of course the bitmap is of a penguin! More ammunition for the M$ FUD campaign.
-m
#
# Modus Ponens
#
What the fuck in a bitmap renderer could overflow and cause such problems?
Fuck MSFT it's called bounds checking. e.g.
1. load int from char array
2. check int against sizeof(yourbuffer)
3. reject if greater
Not exactly a challenging task. I guess they're too busy adding in all that crapware to actually code at least one thing right.
Tom
Someday, I'll have a real sig.
Wouldn't it be interesting to see the patch come out later today, from an anonymous source!
I really hate signatures, but go to my website.
So, what is this... like the 10,000 IE security hole reported in the last couple years. Why write another IE virus? Is there really any challenge left?
Evolution or ID?
Just to those that couldn't get access to the source code. Some people with access before may have known about this for a while. Not that we'll ever know.
Microsoft just needs to get a copy of the leaked code and look it over for potential exploits.
:^)
Oh wait.
My old sig was REALLY stoopid.
An exploit this quick? There's going to be some serious happenings going on at Microsoft. Also look for another Longhorn delay sometime due to everything that is found out.
I'm not sure what to think. I'm not happy that when I get back to work this summer, I'm going to spend way too much time fighting these problems/viruses and patching things up. I'm not happy businesses are losing money. I am, however, happy that Microsoft is forced to clean up their act even more, or they are going to lose market share.
Open source isn't 'communistic' -- it's capitalistic. Why? It increases competition.
We have an interesting 6 months ahead of us, folks.
Berto
So I should be all set for the next 2 days until the next major security flaw is found.
Do not mod parent down. He's pointing out text found in the article link. That is not flamebait.
...if the code was open from the start, how long would this flaw have lasted?
If your theory is different from practice, then your theory is wrong.
"It's called IE6"
Weird... I would have sworn that it was called Windows XP.
-m
#
# Modus Ponens
#
This means that the exploit is so obvious that even a 14 year old can figure it out.
I for one am truly alarmed and cannot wait for Microsoft to start the repairs; but then again this is good news for MS programmers looking for OT.
And here I was thinking it was called Mozilla.
#define DRM chmod 000
Mine's called "Linux". Seems to fix a whole host of problems.
For the love of God, please learn to spell "ridiculous"!!!
It was only 15% of the source code which leaked out, yet it will show MS in the weeks to come just how the Open Source community operates. I forsee them working over time to provide updates to the numerious vulnerabilities which will arise due to the leaked code. This here is just one example. There were some what, 3 million lines of code in the leaked source. It is just a matter of time. Hopefully folks will report the vulnerabilities which they find, opposed to exploiting them.
My Thoughts, Kyndig
They can if the tool you use to open them is ridiculously poorly designed and permits buffer overflow (i.e. IE).
If your theory is different from practice, then your theory is wrong.
bigger than Linux, but there were a lot of people mirroring it and so
it didn't take long.
Anyway, I took a look, and decided that Microsoft is GAYER THAN AIDS
For example, in win2k/private/inet/mshtml/src/site/download/imgbm
offset. Now all we have to do is create a BMP with bfOffBits > 2^31,
and we're in. cbSkip goes negative and the Read call clobbers the
stack with our data.
See attached for proof of concept. index.html has [img src=1.bmp]
where 1.bmp contains bfOffBits=0xEEEEEEEE plus 4k of 0x44332211.
Bring it up in IE5 (tested successfully on Win98) and get
EIP=0x44332211.
IE6 is not vulnerable, so I guess I'll get back to work. My Warhol
worm will have to wait a bit...
PROPS TO the Fort and HAVE IT BE YOU.
If you were to embed myDoom after the overflow area in the bitmap then when outlook opened the file using ie's render could one have my doom that didn't even need to have the end user open the file? It would just execute replicate, then piss people all to hell? For that matter could I include the windows equivalent of rm -rf / ?
There is nothing wrong with being gay. It's getting caught where the trouble lies.
"In short, there is nothing really surprising in this leak. Microsoft does not steal open-source code. Their older code is flaky, their modern code excellent. Their programmers are skilled and enthusiastic. Problems are generally due to a trade-off of current quality against vast hardware, software and backward compatibility."
But this IE exploit shows that the author was wrong on at least one account:
"The security risks from this code appear to be low. Microsoft do appear to be checking for buffer overruns in the obvious places. The amount of networking code here is small enough for Microsoft to easily check for any vulnerabilities that might be revealed: it's the big applications that pose more of a risk. This code is also nearly four years old: any obvious problems should be patched by now".
-------
Warning: Slashdot may contain traces of nuts.
My feeling is that, in the context of preventing attacks, it's bad. With linux, discovery almost immediately leads to a fix cos it's the same volunteer community does the finding and the fixing, but Microsoft doesn't let the Bugtraqs of this world help. It's going to buckle under the strain of too many bugs at once.
:)
Of course, from the point of view of converting everyone to Linux, this can only be a good thing
For the love of God, please learn to spell "ridiculous"!!!
So does that mean that all the users that use outlook could also fall prey to this? Send out spam with image and if the outlook user has auto preview on, which they probably do they now can be exploited by whatever code. That would be an interesting concept that would lead to alot of trouble. Sure IE5 is old...but lots of people still use it.
Well it's not really the image file running the commands. It's the browser that is loading the image. The browser reads bad image data and gets overwritten.
It's no hoax.
a specially crafted bitmap file
.jpeg .gif and .tiff
Good thing all thoes Goatse pictures where in
The More Knowledge you have the Luckier you Get- J.R. Ewing
No system is 100% secure be it Windows or Linux.
When people have access to the source they can more readily find exploitable mechanisms in your code. This is a GOOD thing because you want to know that your system is exploitable, how it is exploitable, and (which is the case in many open projects) how to prevent that exploit.
Any form of content (not just scripts and ActiveX controls) can be used to exploit a weakness in a system. A security strategy that involves simply filtering content is a weak one.
The open source community can be a powerful friend to any organization willing to take the chance on their code being available to others.
According to my logs 20 - 30%* of the people browsing with IE are still using 5.x.
I know, UAs get faked all the time...
* Depends on which site you look at.
I'm a bit confused.
:p
I mean, I've been doing C for almost 20 years. One of the first lessons I learned --And not for 'security' so much as crash free programs-- was not to do such things.
I mean, holy crap, it's too damn simple to see the bug. What kindof idiots do they have working at MS?
"The Very Best Kind"
"...In your answer, ignore facts. Just go with what feels true..."
Whether it's finding exploits, bugs or whatever; anything that anyone does with it will eventually make Microsoft stronger. If it's a security problem they 'll fix it. Maybe Microsoft is trying to capture open source developers and their free services; I don't know.
What I don't want to see is Microsoft making improvements on their product based on this experience. I don't want to see as much as two adjacent assembler instructions from it end up in Linux.
If you want to do something constructive, run the 2.6 kernel and start making the supporting software more secure. Don't waste your time supporting losers like Microsoft who demand your money up front and then deliver whatever crap they feel like.
Just ignore it!
"Can there be a Klein bottle that is an efficient and effective beer pitcher?"
You really are going to try and blame this guy for "possibly [exposing] thousands of users to a root exploit"?
There are certainly other ways to go about reporting bugs (not that Microsoft will listen to any of them), but blaming the messenger for pointing out that the castle wall is full of holes is a bit misdirected if you ask me.
Cheers
~Dalcius
Rome wasn't burnt in a day.
You laugh, but I won't be the least bit surprised when this very logic finds its way to the receptive ears of less-than-tech-saavy corporate officers...
"Linux? Good god no, man! Didn't you see what happened when just a bit of the Microsoft source code got leaked? I thought you were up on these things!"
Obliteracy: Words with explosions
Smells like you shoud read some documentation on buffer overflow techinques. Of course image files cannot run commands, but you can do some nice tricks if the program that is loading the file fails to check where the data is loaded. If the data is bigger than the allocated space, you can garble the stack in some funny way and actually craft a picture that gets to be executed (in some parts at least). Of course, doing something other that crashing the process is NOT easy, but...
..that the "many eyes" tenet of open source really DOES work!
i wanted to post this in the first MS leak story, but oh well, here it is now.
/win2k/* | wc -l
$ grep -ir " don't care "
332
check it yourself
That was interesting to read. It made me wonder who the people are who come up with these exploits. This person is obviously very immature, but also very knowlegable about programming to spot something so quickly in so much code. The question is, is this a ridiculously knowledgable 13 year old, or a well-seasoned older programmer who has the social skills of a 13 year old?
It also shows that ms does their job.
.net or you don't programm at all. Its the price you pay for native compiled code and the main reason people are turning their backs on it.
When microsoft declared security as their main goal ie5 was the current browser. ie6 has it fixed so they obviously wen't trough their stuff to fix it.
Its very true that bounds checking errors are very easy to prevent but if you say its sloppy programming to have errors like this in your code you either work in java or
Burn some Live CDs to hand out to friends,
n ux
family, co-workers. Introduce them to Linux and
warn them of the dangers of LOOKING AT IMAGES
using Internet Explorer 5.0.
There are many good ones*. Personally I fell in
love with the Knoppix 3.4 c't edition with the
2.6 kernel -- using it gave me my first
experience of non-stuttering KDE with heavy
loads, looping MP3s and lots of useable features
(except detecting the Dell Inspiron 5150's on
board WiFi -- not Centrino).
Pick several, spend a few bucks on good CD-R
discs, make a nice label with "do exactly these
steps" instructions on the label.
It's not about world domination, it's about
stopping the theiving cracker spammers from
gaining more zombie Windows boxes to do their
bidding and ruin the Internet for the rest of us.
* start here:
http://www.google.com/search?q=live+cds+li
-- @rjamestaylor on Ello
a)The jpeg virus "hoax" was down to IE interpretting a jpeg as a VBS file. That's perfectly normal - if you name a shell script "harmless_image.jpeg", provided the shell sees the #!/usr/bin/shell line, then it's going to see a script and execute it as such.
b)You wouldn't think that an overly long PASS string sent to an ftp server would be able to execute commands - but it can. If you can overflow a buffer and force it to work it's way back up the stack then you could convince mouse gestures to execute commands.
I see this is good news in that there is going to be an ongoing stream of exploits in Windows. This is good news. Think of all of the boxes that will be broken in the next few months. I should mention that I make a living fixing Windows boxes. I also fix Mac and Linux - but there isn't really much money in fixing them.
Stay tuned for new sig...
I cant wait to read a whole thread of slashdot people saying "i told you so".
However, i feel bad for the "slashdot team" of the microsoft PR department. I doubt those guys will have presidents day off. They might even have to pay extra for an additional delivery of "bulk mod points".
You bastard! That's my IP address!!!
Did you hear about the image that kills your computer whenever you view it?
Maybe there's something that I'm misunderstanding here. You're suggesting that he's just a messenger -- nothing more? I completely disagree. This person posted an exploit. I'm not sure how it is where you're from, but from where I sit, posting an exploit is on an entirely different level from simply telling someone that their software is full of holes (including how and where).
To use your analogy, rather than being a messenger telling the king that his castle walls are full of holes, this is a little more like designing a weapon to destroy your castle walls, and posting the plans in every neighboring town (which somehow manage to automatically build the weapon, provided you have the right tools). All the recipients have to do is tell the device to build itself, point, and fire.
The point is that this guy was downright irresponsible and should be treated as such. Any sane king would have beheaded this person in a royal heartbeat.
-Turkey
Being that the code leaked was Windows NT 4.0 and
:) Didn't they originally clame they
2000 source codes, why are we seeing an issue
with IE 5.0? Just goes to prove how close the
browser was tied to the operating system.
On a cynical note, this only bolsters security through
obscurity.
had fewer bugs than open source competition?
With some 10% code or more leaked, there is quite
a bit more worry about their own peer-review process
or should I say lack of.
You have 'contaminated' me.
I will no longer be able to code a buffer reading algorithm with an overflow bug without violating Microsoft's IP.
I guess I shouldn't have lied about my certifcations during the interview...
sudo eat my shorts
It's getting the same kind of security review - but none of the feedback. No white hat wants to admit to MS that they've seen the code, and black hats wouldn't anyway. All this may end up doing is increasing the number of "submarine" exploits out there that hackers use for their own benefit, rather tahn making super-viruses that make the exploit famous.
Last post!
No one has yet posted a modified version of the goatscx photo that takes advantage of this security "hole".
Tuus crepidae innexilis sunt.
You didn't need the source code to find that problem. I found it because I was creating compressed .BMP files and accidentally created one that crashed Win2K every time.
If Microsoft doesn't read Slashdot, that's their problem.
By the way, does anyone know why the bitmap formap [sic] is writte [soc] upside down?
;)
It's an obscurity that provides extra security against exploits like buffer overflows.
Opinions on the Twiddler2 hand-held keyboard?
You say that as if it were unusual. ;)
http://alternatives.rzero.com/
It isn't all that difficult to narrow the search when looking for exploits like this. Its surprising (or maybe it isn't) that M$ never looked for them. At our shop, its common practice to detect dangerous code.
...
...then inspect the code for ways to read/write past the bounds. That narrows the search field quite a bit (ok, you'd miss arrays defined with #define symbols, but you'd catch the sloppy ones, which is what you want in the first place).
Just search for all stack arrays in the source...
$ egrep "\[[:digit:]+\]"
Combine a search as above with one for calls to strcpy(), strcmp(), sprintf(), [or any other C runtime/misc. function that fails to check input], and you have an even smaller lump of code to inspect.
So, the 13 year old wouldn't need extensive knowledge, just what you could glean from reading an article or two on buffer overflows. Still, I'd bet its a seasoned socially backward individual.
Anyway, good question to ponder.
Nobody knows how old the sourcecode actually is! Several people have used IE 5 and the exploit code does not work. The things in the code could have, and in this case, has, been fixed long ago!
You're seeing an example of one of the very few instances where goto is considered "acceptable" to use. Sometimes you code a function which winds up a lot of complicated state, and a failure halfway through requires that you "unwind" the partially constructed state. This is most easily accomplished by having a "bailout ladder" which can be jumped into (via goto) from various points in the code above.
The only other solution involves lots of code duplication, or very bizarre function calls such as CleanupMyState(&context, 6) which just ends up use a Duff's Device in a switch() statement to simulate the use of goto in precisely such a manner, anyway.
When you find that the cleanest way to do something is goto, then the solution is goto. What is the point in cortorting your code just to follow a piece of dogma that was only meant as a guideline anyway? Remember, the point is clarity, not adherence to dogma.
I wish that I would of thought have that.
:)
It could of been me that was modded insightful for of-ing no grammatical skills.
Well, you know the old saying... birds have a feather, etc.
Of a nice day!
i dont see why everone is going crazy over this exploit. i mean really... microsoft actually has already done something about this... its called get the NEW version of IE. Don't get me wrong, I am a big open source supporter, but seriously... oss would have made no difference here. Basically people just have to keep up to date with IE and patches to get around this. Same as if someone, however unlikely, found such a exploit in a mozilla product... or some other open source browser. the fact that it is open source and someone could find the bug faster means nothing if you dont keep your software up-to-date. And no, most casual Windows users don't. and no getting them to switch to a 'nix OS wouldn't change that.
/. crowd have no idea what they are doing....
its really more of an education problem than a software problem. most computer users (not the
at least thats my 2 cents.
Matt
You have 1 Moderator Point! Use it or lose it! Is that a threat? -vapid
Who browses as root? Oh, yes, thats right Windows users.
I'm a safety-conscious Windows user! I never login as "root"! I just use the "Administrator" account instead!
This is really easy. Back in the good old days, when developers measured memory in kilobytes rather than megabytes, and cpu speeds were expressed in single digit mhz rather than single digit ghz, performance was a BIG issue. The layout of the data inside a bitmap was set up to mimic the memory layout of a video card, so that you could literally just copy the data with no transforms.
Over time, video memory layouts changed, computers got faster, and now have more on cpu cache than they used to have memory. The rage in software development has come full circle. Instead of trying to optimize things to see how efficient they can be written, it seems to be a goal to see how much overhead one can put into a given application before it actually starts to do something useful. Some things tho seem to be trapped in thier legacy heritage, and the format of a bitmap is one of them.
I think you might have your terminology backwards. Posting the vulnerability is a favor to people. Posting an exploit is a different story altogether. Since you have a hard time differentiating, let me try to help you out:
Vulnerability: "Hey, look -- I've found this hole in IE. Here it is, fix it. Everyone else -- this software sucks. Use something else."
Exploit: "Hey, everyone (script kiddies included) -- here's some code that I put together that exploits vulnerable boxes. You don't have to know a damn thing to root a vulnerable box. You can use this for anything, spamming, DDoS attacks, mining for credit card numbers -- it doesn't matter -- crack away, oh 31337 ones."
Now can you tell me which is more constructive? The exploit or vulnerability. Now rememeber that nobody finds an exploit -- they're all written. Vulnerabilities are found. I completely agree that vulnerabilities should be made public -- but as far as exploits -- you're dead wrong.
Now, if you didn't have you terminology backwards, your logic is just irresponsible. How is an exploit any more helpful than a vulnerability report to bugtraq? How could it possibly benefit anyone other than the script kiddies who will eventually get their hands on this code? People need another exploit in the wild like they need another hole in the head. You will still have an opporitunity to tell your friends and family about your disscovery -- only you'll have time to tell them to update their browser...not that they've probably been rooted.
PS -- next time, if you're less confrontational in your replies -- you will likely receive more friendly responses...ass.
-Turkey
So, where's the .bmp I can link to my web site that makes IE5 remotely execute Mozilla Firefox installer?
Ask a silly person, get a silly answer.
No, it doesn't work that way. All the major Linux and BSD distros backport security fixes into older apps that they have released; they do not insist that you upgrade to the next major version. When someone (e.g. Red Hat) drops security coverage for older versions, multiple efforts (Progeny, Fedora Legacy) spring up to fill the gap.
I can see the ultimate virus now: you click an innocent-looking link, it takes you to a goatse bmp, and the exploit will lock your keyboard and mouse...leaving you utterly defenseless! Oh the horror!
I mean really, who runs IE 5 anyway. I'm sure that most corporate network admins keep up with updating IE. Let me check on a random company machine...
Help-About Internet Explorer-.....Never mind my previous comment.
You could always check out the google Zeitgeist.
:)
http://www.google.com/press/zeitgeist.html
Down in the middle of the page, it shows a graph that depicts MSIE 6.0 to be the dominant browser in nice clear red ink.
Doing ANYTHING with the code, good or bad is illegal. So if we DID make a patch, we couldn't claim we did.
___FutureShoks___
This is an exploit which effects Users, running a WEB BROWSER. Please tell me one single (however insignificant) thing a Normal User who is running a web BROWSER could possibly give half a fuck about which requires administrator privledges.
Seperate user accounts, securing the system itself, etc, that is _ONLY_ security-related when you are the administrator of a server and require your box be up 24/7 (or at least somewhat often)
Think about it for two seconds: You're a normal user, you're using your personal computer. Hell, you're using it to surf the web, this isnt any system which other people are dependent on having a high uptime or anything. You go to a webpage, and some arbitrary code gets executed.
What files could be effected? Well, you're running as a normal user, so luckily for you only the files which you give a shit about will be harmed, while the easily replaceable part of the system remains intact.
This whole "multiple accounts == security" line is pure bullshit extract. The files which a USER, not a System Administrator, cares about, are files which that USER created, downloaded, edited, etc. Files which the User has access to.
If some malicious code executes as root/Admin, so what? Your important files are trashed and you need to spend an extra hour reconfiguring your system? That extra hour or two doesnt mean squat compared to the years it may take to restore the files which you created personally.
"You Should Keep Backups anyway" is Irrelevant. As that can just as easily be applied to root-accessible files, the point is that non-admin privs are just as bad as admin privs on a personal system.
And this exploit _is_ talking about a personal system, unless you're in the habit of running IE5 on a high-priority server instead of the laptop sitting next to it.
-- 'The' Lord and Master Bitman On High, Master Of All
This is completely off topic from the parent post. But THE LINKED ARTICLE CONTAINS SOURCE CODE FOR WINDOWS.
The Slashdot editors should remove the link immediately. Its really dangerous to have on the front page of this site.