w00w00 () Angry Packet Security (http://sec.angrypacket.com) Vulnerability in Multiple Microsoft Products for Mac OS HTML format: /advisories/ms_macos.html Text format: /files/advisories/ms_macos.txt SOFTWARE VERSIONS AFFECTED Microsft Internet Explorer Versions affected: 5.1 Platforms affected: Mac OS 8, 9, and X Microsft Outlook Express Versions affected: 5.0.2 Platforms affected: all Mac OS Microsft Entourage Versions affected: 2001 and X Platforms affected: all Mac OS Microsft PowerPoint Versions affected: 98, 2001, and X Platforms affected: all Mac OS Microsft Excel Versions affected: 2001 and X Platforms affected: all Mac OS Microsft Word Versions affected: 2001 Platforms affected: all Mac OS PRELUDE A bug in Internet Explorer for Mac OS X was originally reported to Microsoft by Josha Bronson of Angry Packet Security on January 4, 2002. Due to some internal mishandling at Microsoft, this was brushed off until w00w00 informed Microsoft of its intention to release the information on February 17. We originally gave them a deadline of two weeks until we discovered that this affected Entourage (an Outlook-like mail client for Mac OS). When Microsoft determined this affected most of their Office suite on Mac OS, we felt it was appropriate to give them time to fix it. DESCRIPTION There is a vulnerability in multiple Microsoft products on Mac OS. The problem lies in the handling of a lengthy subdirectory in the file:// directive, such as file:///AAAAAA[...] or file://A/A/A/A/[...]. The number of subdirectories is trivial as long as there is at least one. IMPLICATIONS In most cases, the user would need to click on the link to be attacked. In the case of Entourage or Outlook Express, however, just opening the email will cause this. This leaves the potential for a worm. The magnitude depends on how many people actually use Entourage and Outlook Express for Mac OS. In all cases, writing shellcode to exploit this problem is simple. Given that Mac OS X has a Unix interface, existing PowerPC shellcode that runs /bin/sh will work. No complex shellcode is needed to bind to a port or download an application off the web. The /bin/sh shellcode would need to be changed from an interactive shell to one that will execute a chain of commands. There are enough commands on Mac OS X by default to allow an attacker to download and execute an application off of a web page. The downloaded application could do any number of things, such as read off the user's contact list and send the same email to exploit to all of the user's contacts. EXPLOIT The following HTML file will demonstrate the problem. We chose to use IMG simply because that is instantly loaded, but an could have been used also. It can also be viewed (in live form) at /files/advisories/ie_sample.html. It overwrites the saved link register which is used for a subroutine's return address on PowerPC. This will allow remote execution of arbitrary code. The saved link register is overwritten by the 0x41424344. This vulnerability will allow up to 1313 characters before the saved link register. Pure binary data (including NUL bytes) can be used by escaping it (i.e., A as %41). However, using "%41" will count as three characters, rather than just one. Note: by character I mean unibyte characters. PATCHES For Internet Explorer, a patch is available from http://www.apple.com/macosx/upgrade/softwareupdates.html. For the other products, the patches can be downloaded from http://www.microsoft.com/mac/download. CREDIT w00w00 would like to thank Angry Packet for involving us in their efforts to get Microsoft to resolve this problem after their attempts failed.