VGX.DLL Compressed Content Heap Overflow Vulnerability Release Date: August 14, 2007 Date Reported: October 24, 2006 Severity: High (Code Execution) Systems Affected: Internet Explorer 6 SP1 - Windows 2000 SP4 Internet Explorer 6 SP1 - Windows XP SP1 Internet Explorer 6 SP2 - Windows XP SP2 Internet Explorer 6 SP1 - Windows Server 2003 SP1 Internet Explorer 6 SP2 - Windows Server 2003 SP2 Overview: eEye Digital Security has discovered a heap overflow vulnerability in VGX.DLL's processing of compressed content referenced from VML. VGX.DLL is the Microsoft component responsible for rendering VML (Vector Markup Language) within Internet Explorer. If a user views a malicious web page or HTML e-mail containing VML that points to compressed content on an attacker-controlled web server, the attacker can cause a heap overflow within the viewing application, leading to the execution of arbitrary code. (Note that, in order to be exploited directly from HTML e-mail, the victim must attempt to view the malicious e-mail in the Internet Zone, or with otherwise equivalent security and privacy settings that allow internet content to be downloaded and displayed.) Technical Details: VGX.DLL contains an implementation of the CDownloadSink class that processes data downloaded from URLs embedded within VML. For instance, the following VML will download additional content which will be handled by VGX.DLL!CDownloadSink::OnDataAvailable: <v:rect> <v:imagedata src="http://malice/compressed.emz"> </v:rect> An integer underflow vulnerability exists within VGX.DLL!CDownloadSink::OnDataAvailable that can eventually cause URLMON.DLL!CMimeFt::SmartRead to overflow a heap buffer, due to a misreported buffer size when handling compressed content. The second argument ([EBP+10h]; [EBP+8] is the 'this' pointer) passed into CDownloadSink::OnDataAvailable is the total length of all raw (compressed) data received so far, but the function will subtract the total length of uncompressed data in its buffer from the total length of raw data when calculating the read limit to be passed to URLMON.DLL!CReadOnlyStreamDirect::Read. Assuming that the data is larger uncompressed than compressed, an integer underflow can be made to occur, causing a very large value (roughly 4GB) to be supplied as the read limit. If the amount of data subsequently read exceeds the amount of unused space in the buffer, a heap overflow with arbitrary binary data will result. Exploitation requires that CDownloadSink::OnDataAvailable be invoked at least twice -- once to load the buffer with some non-zero length of uncompressed data, and a second time to cause the overflow -- so the compressed data must be received in distinct (e.g., time-separated) pieces. Since such divisions may occur legitimately, positively identifying attempts to exploit this vulnerability are difficult, and conversely, even legitimate web sites may cause a non-malicious heap overflow to occur. Internet Explorer 7 silently fixed the vulnerability roughly ten months ago, due to a change in URLMON.DLL's behavior when reading compressed content. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS07-050.mspx Credit: Discovery: Ben Nagy and Derek Soeder Research: Derek Soeder Related Links: Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Home Use: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Greetings: Tony B. for contributing the site. Jennifer, Barnz, Reverse, Karl, Dave, Steve, Glenn, Eric, Ryan, Saeed, Daniel, and Yuji. Greg rocks! (where were you in 2003?) The Cygnet. Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert (at) eEye (dot) com [email concealed] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.