Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Netscape SmartDownload 1.3 Buffer Overflow Vulnerability

Netscape SmartDownload 1.3 Buffer Overflow Vulnerability

by phiber on April 19th, 2001 Successfully exploiting the buffer overflow in sdph20.dll would allow an attacker to execute arbitrary code as the currently logged in user. In Windows 95/98/Me, this means privileged access to all resources on the target host.




Technical Description:



Netscape SmartDownload adds pause, resume and auto-restart download
capabilities to common web browsers such as Netscape Navigator,
Microsoft Internet Explorer and NeoPlanet. It is installed by default
with SmartDownload versions of Netscape Communicator, and marketed as
an add-on "download manager" for other browsers. It is available for
all Win32 platforms (Windows 95/98/Me, NT/2000).


All URLs visited by a user are analyzed and parsed by SmartDownload for
MIME type and extension to determine if the SmartDownload dialog box
should be presented, regardless of whether Smartdownload is enabled.
URLs parsed include web pages viewed within the browser (including
redirects), web pages within framesets and files spawned to external
viewers. Images, embeds and targets of object tags are not parsed by
SmartDownload.



A bug in the library 'sdph20.dll' used by SmartDownload prevents it
from properly parsing URLs greater than 256 characters in length. The
parsing code in sdph20.dll reserves 256 characters for an URL on the
stack but an unchecked lstrcpy will copy URLs of arbitrary length into
that buffer, overwriting several local variables, the return address
and other parts of the stack.



Analysis of sdph20.dll reveals that the ESI register will always point
to a location in memory with a predictable offset from the start of the
URL buffer after the parser function returns. This means that shellcode
[1] within the URL can be reached with a CALL ESI or JMP ESI
instruction if a known location containing either of those instructions
is inserted in the return address (byte 272).



If the overflow is successfully exploited, shellcode will be executed
by the victim with the privileges of the currently logged in user. If
the victim is using Windows 95, 98 or Me, the shellcode will be run
with privileged access to all system resources (local Administrator
access).



[1] SmartDownload places some restrictions on the characters permitted
in an URL - namely, reserved URL characters such as # : ? and & are
clipped or replaced. Additionally, the NULL character and some control
characters (ASCII < 32) are rejected outright by some web browsers.



Attack Scenarios:



Attacker finds a memory location known to contain a JMP ESI or CALL ESI
on the target host.



Attacker creates a 1000-byte string designed to overflow the URL parser
function in sdph20.dll. The attacker places the ESI jump address at
byte 272 of the string, and pads the remainder with equivalent-to-NOP
characters such as 0x41 (A).



The attacker creates shellcode and places it toward the end of the
string.



Attacker contructs a malicious webpage containing a redirect to the URL
or invisible frame containing the URL and lures victim to the webpage.



Attacker-supplied shellcode could, for example, download and install a
trojan horse or backdoor program on the victim host.



Exploits:



A utility is available that generates a web page that will exploit this
vulnerability. The exploit is intentionally crippled. This exploit
written by the SecurityFocus staff is of special interest because it is
executed transparently and without crashing the browser. A user who
had this type of exploit leveraged against them by surfing otherwise
innocent seeming web pages would never know they had been attacked and
possibly backdoored. There is a popular conception that exploits like
this on the client side (in terms of buffer overflows) will crash the
broswer and thereby alert the user to unusual activity. This is no
longer the case.


http://www.securityfocus.com/data/vulnerabilities/exploits/sdsploit.tar.gz



Mitigating Strategies:



* Do not visit untrusted web sites



Solutions:



Netscape has released SmartDownload 1.4, which does not contain this
bug.



For Netscape SmartDownload 1.3:



Netscape upgrade SmartDownload 1.4


http://home.netscape.com/download/smartdownload.html



Credit:



Submitted to [email protected] on 2 March, 2001 by Craig
Davison , Ryan Russell
and Bruce Leidl . Also discovered independently by
Frank Swiderski and described in an @stake advisory
which was released on 13 April, 2001.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »