Forgot your password?
typodupeerror
Internet Explorer The Internet Bug Security

Open Source Firm Releases Patch for IE Bug [UPDATED] 544

Posted by CowboyNeal
from the anything-you-can-do dept.
An anonymous reader writes "An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information." Naturally, the source for the patch is available as well. Update: 12/19 15:06 GMT by M : Sadly, the patch appears to contain a buffer overflow and some possibly-malicious code - see an analysis and news story, and this comment which suggests the patch author is trying to figure out who is taking advantage of the original vulnerability. Caveat patcher.
This discussion has been archived. No new comments can be posted.

Open Source Firm Releases Patch for IE Bug [UPDATED]

Comments Filter:
  • DMCA violator (Score:5, Insightful)

    by DigiShaman (671371) on Thursday December 18, 2003 @10:28PM (#7759927) Homepage
    In other news....M$ slams a DMCA lawsuit for "hacking".

    • by BladeMelbourne (518866) on Thursday December 18, 2003 @10:50PM (#7760111)

      Open Source Firm Releases Patch for IE Bug

      In other news...

      Today Micro$oft contributed code to the Linux kernel, and announced plans to help iron out differences between Mozilla and MSIE :-)

      • by Anonymous Coward on Friday December 19, 2003 @12:43AM (#7760844)
        SCO Group of Lindon Utah announces that it has filed suit against Microsoft for including Unix/Linux code in Microsoft's Internet Explorer. Darl McBride says "There's no way these burger flipping losers could fix IE without our help. Microsoft couldn't even fix it without our lawyers."

        Shrewd investors continue to laugh at the SCO Group's activities and have the following comments:

        "The funniest thing I've seen since the Paris Hilton tapes!" - MSN

        "A gut buster worthy of John Belushi - but SCO does more drugs" - Timothy Leary

        SCO also announced that Caldera Linux licences still outpace all other SCO products - excluding lawsuits - by a 2:1 margin. Darl announced that they expect to make that 3 to 1 by next summer before they are purchased outright by IBM for $1.50 and a can of Red Bull.
  • well done (Score:4, Insightful)

    by b4rB3li7h (687311) on Thursday December 18, 2003 @10:28PM (#7759933)
    trust OS people to fix what M$ can't find profit for!
  • by Anonymous Coward on Thursday December 18, 2003 @10:29PM (#7759941)
    I'm not downloading anything that isn't part of a MS plan. Sounds like a trojan attempt to me.
    • by Anonymous Coward on Thursday December 18, 2003 @11:01PM (#7760183)
      Did you know that MS are now sending out these patches direct via email? Be sure to install it when it arrives.

    • Of course it isn't a trojan. It's a legitimate security update which gets run on your system and makes IE invulnerable to that particular spoof attack. Why, openwares.org even has a definition on their site of what a trojan is:
      • Trojan and/or Worm loaders

        Trick unsuspecting users into downloading harmful viruses
        by disguising them as legitimate security updates.

      So you see, this is nothing more than a legitimate security upd... wait a second!!
  • by znode (647753) * <znode@@@gmx...de> on Thursday December 18, 2003 @10:30PM (#7759951) Homepage
    Without the original source to IE?
    • by epiphani (254981) <epiphani@da[ ]et ['l.n' in gap]> on Thursday December 18, 2003 @10:40PM (#7760033)
      Exactly what I was going to ask. How do you "patch" software without the original code? You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

      Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

      Also, patching a binary - that requires *very* detailed knowledge of the binary itself, not? You cant just diff two binaries, and apply patches like that, can you? Run into adressing problems, not? I've never really studied the end result of my code beyond a little gdb'ing.
      • by WolfWithoutAClause (162946) on Thursday December 18, 2003 @10:54PM (#7760129) Homepage
        You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

        Off-hand- I'd probably stick a debugger on it, viewing the code at assembler level, and trace the carriage return in from the OS; or something like that. I mean the OS has to call or return to IE when the carriage return is hit; there can't be that many places in the code where it is waiting for input- stick a breakpoint on all of them, and whichever one gets hit after you click on the carriage return is starting to process the code. Run it multiple times with different input and pretty soon you should start to see the patterns.

        It's not especially easy, but it's doable, I've done stuff like that before. It's easier if you have the source code, but it's just slower if you don't.

      • Maybe they forgot to sign the EULA?
      • by umofomia (639418) on Thursday December 18, 2003 @10:59PM (#7760175) Journal
        Exactly what I was going to ask. How do you "patch" software without the original code? You'd basically have to reverse engineer the software, back to some other form of programming language - probably ASM.

        Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

        Actually they didn't have to do that... they just redirect the URLs you click on into their own cgi script off on their server to determine if it's a valid URL.

        I don't know about you, but I prefer that the URLs I go to not be sent to some random server out there. Isn't this basically the definition of spyware!? Also, what happens if their server goes down? Does that mean I'm unable to browse the web at all?

        Wait for Microsoft to come out with a better fix that properly addresses this issue.

        • by KFK - Wildcat (512842) on Thursday December 18, 2003 @11:13PM (#7760252)
          It only redirects if the address seems like it contains illegal caracters (and thus tries to spoof the address), not for all webpages accessed.

          See http://www.openwares.org/cgi-bin/exploit.cgi?slash dot.org&www.goatse.cx [openwares.org] for instance.

          It might log the addresses attempting to spoof webpages, but I'm all for that. And at least this explains clearly that a spoof was attempted through this exploit. I think it's better than just correcting the string, which would access a spoofed webpage anyways, even if showing the right address at the top... which of course would not work as well but many would still fall for it no matter, especially since it probably would look like http://www.paypal.com@paypal.something.net/ which would seem legitimate to the casual looker.

        • by netsharc (195805) on Thursday December 18, 2003 @11:27PM (#7760333)
          Wrong. :) The URL I found in the source code is http://www.openwares.org/cgi-bin/exploit.cgi? .. try it with http://www.openwares.org/cgi-bin/exploit.cgi?slash dot.org [openwares.org]. It's the error page that the program displays when it hits a probable exploit. The program does the checking in your computer and when the link doesn't have %00 or %01, it just shows it normally. Only when it does see a %00 or %01, it sends the link to the above mentioned page.

          If you ask me, maybe they want to have a record of which evil Paypal clone-sites are taking advantage of the exploit so they can tell the cops. Maybe they want to make it easy to tell the users that "MS has issued an update for this problem, please download it!", but of course maybe they want to display ads on that error page (Heh I would do the same).

          But no, URLs that are okay are not being sent to that site.
      • Now, just as a quick check, isnt reverse engineering any M$ product against the EULA? I seriously expect a lawsuit about this.

        While I dont think any reverse engineering took place here, I dont think it would be illegal.

        EULAS are not contracts, you did not sign anything and EULAS cannot override the laws of that country. If reverse engineering is legal, then no amount of draconian wording or clicking on "I Agree" can change that. So if the EULA prohibits me from backing up my copy of Windows (as an examp

      • by crapulent (598941) on Thursday December 18, 2003 @11:44PM (#7760406)
        From looking at the source it's not actually a patch so much as a 'wedge'. It creates a typelib (or COM object of some sort) that registers itself with the system. By doing this it hooks into the IE API, such that it is called every time a URL is visited. If it detects that the URL contains the spoof, it redirects you to their site, where a CGI script gives you an IE-error-like page: For example if the faked part of the URL was 'fake.com' and the real site was 'real.com' it would redirect you to http://www.openwares.org/cgi-bin/exploit.cgi?true. com&http://fake.com [openwares.org]

        So this is not so much a patch as a 'workaround'. It doesn't fix anything, it just intercepts those URLs and warns you about it.
      • Granted, not your average programmer can do this, and yes you're right, it does take detailed knowledge, and a little familiarity with assembly.

        Microsoft, in it's efforts to steer people away from FoxPro to Access, many years ago, decided to not bother patching some serious issues with FoxPro. What happened was there was a very poor piece of code that tried to figure out how fast your processor was when FoxPro started up, I forget exactly what it was for, but the programmer(s) made a small bug where if t

    • using the API (Score:5, Interesting)

      by ramzak2k (596734) on Thursday December 18, 2003 @11:01PM (#7760179)
      If i am correct all microsoft applications do have allow access to APIs (Application Programming interfaces). I have written a simple application in Visual Basic once that used the API of MSN instant messenger to listen to the messages sent to me and do a custom auto reply saying things like "i will be back in a few mins".

      Once someone has a grip of IE's API, this shouldnt have been too difficult - after all they just check if the URL requested for(which should be triggering an event in the API) has a particular type of input. If so they redirect it to a different URL (their own website).

      If the patch has been done this way it is more reason not to apply it - it is not exactly the cleanest way to fix it.
    • It seems like they made an add-on to IE (it's been done before, e.g. GoogleBar, various pop-up stoppers, Gator/Claria), that probably monitors all URLs, and removes %00's and %01's out of it before giving it back to IE.

      Funny stuff, it's mostly a band-aid solution IMO, but a nice slap in the face for MS. :P
  • by Ironclad2 (697456) on Thursday December 18, 2003 @10:31PM (#7759953)
    This patch fixes a security bug in Internet Explorer that could allow someone who actually knows what they're doing to repair buggy programs on your computer.
  • Good to know... (Score:4, Interesting)

    by TSR Wedge (732684) <wedge AT wedgenet DOT us> on Thursday December 18, 2003 @10:31PM (#7759954) Homepage Journal
    Good to know that while Microsoft is leaving its users hanging out to dry patch-wise, the community still cares enough to fix the problems. Who knows -- maybe we'll see more effective (i.e., fixing more problems than they cause) patches from here forward.
  • by Anonymous Coward on Thursday December 18, 2003 @10:31PM (#7759955)
    So, there is an open source patch for a browser that the people that would have heard of the patch wouldn't use, the /. readers ought to be using mozilla and they know it, if they aren't using mozilla they probably will not install the patch either.

    the people that would likely be fooled by this haven't heard of mozilla and haven't heard of open source and will not hear of this patch.

    so this patch is pointless
    (cool that it can be done though)
    • by s20451 (410424) on Thursday December 18, 2003 @10:41PM (#7760041) Journal
      so this patch is pointless
      (cool that it can be done though)


      Ah, but my good Mr. Coward, far from being pointless, the patch puts Microsoft in a delicious conundrum! Either accept and distribute an open source patch (thereby publicly validating the open source model), or ignore the patch and get sued by customers, because a patch existed that they did not publicize.

      ps. Are you related to Noel Coward? Send my regards.
    • by jrumney (197329) on Friday December 19, 2003 @06:53AM (#7762583) Homepage
      You'd think that Slashdot readers would read the source before installing something claiming to be a security fix from a previously unknown outfit:
      // Terms of Agreement:

      //
      // By using this source code, you agree to the
      // following terms:
      //
      // 1) You may use the source code, resource
      // files for educational purposes only.
      // 2) You MAY NOT redistribute this source code
      // without written permission. Failure to do
      // so is a violation of copyright laws.
      // 3) The author of this code may have retained
      // certain "additional copyright rights".
      // If so, this is indicated in the author's
      // description.
      //
      Yet another example of someone paying lip service to "open source". Do you trust them with the information they are collecting on who is gullible enough to click on links to scams by other parties? Who is to say they aren't running their own scams and allowing them through exploit.cgi while blocking the competition?
  • by mikewren420 (264173) on Thursday December 18, 2003 @10:31PM (#7759957) Homepage
    What the article doesn't say is that the "patch" just removes IE and installs Mozilla. :)
  • Direct Link to patch (Score:5, Informative)

    by bogie (31020) on Thursday December 18, 2003 @10:32PM (#7759967) Journal
    For the adventurous among you.

    http://www.openwares.org/downloads/IEpatch.EXE
    • by IvyMike (178408)

      That's not a link! This is a link:

      http://www.openwares.org/downloads/IEpatch.EXE [openwares.org]

      P.S. I haven't actually tried the executable out, I just added the clickable goodness. I also couldn't pass up the chance to make a Crocodile Dundee joke.

    • by GaelenBurns (716462) <gaelenbNO@SPAMassurancetechnologies.com> on Thursday December 18, 2003 @10:50PM (#7760108) Homepage Journal
      Thanks. I've patched my test system and it didn't even require a reboot! Windows has come so far... when you use as little MS software on it as possible.

      Anyway, I've tested IE by running through some windows updates and going to a few exploit test sites. Everything has behaved as it should.

      By the way, one of the joys of this patch is that when you browse to a site attempting the exploit, you get one of those nice IE error pages, formatted in the traditional way. Except, instead of seeing Microsoft branding all over it, the Openware patch is referenced. I don't know... having this little bit of OSS within IE warms my heart. And just in time for the holidays!
  • by realdpk (116490) on Thursday December 18, 2003 @10:33PM (#7759981) Homepage Journal
    If you check the code, all it appears to do is redirect the browser to http://www.openwares.org/cgi-bin/exploit.cgi?URL if someone clicks on a bogus URL.

    The overpresence of "strcpy" is a bit unsettling, too.

    While it's a nice step, it's no replacement for an official Microsoft patch.
    • by Ironica (124657) <<gro.kcodnoob> <ta> <lexip>> on Thursday December 18, 2003 @11:21PM (#7760297) Journal
      While it's a nice step, it's no replacement for an official Microsoft patch.

      It's no replacement for... nothing, in other words?

      Microsoft hasn't even said they're *going* to patch this yet, you may be waiting an awful long time.
    • by crapulent (598941) on Thursday December 18, 2003 @11:54PM (#7760462)
      Yeah no shit, you'd expect better code from "Security researchers." This thing is ripe with bad code (it's sprinked with gotos for error handling) as well as at least one probably exploitable buffer overflow. Observe: here is a bit of the code for the main URL checking routine: ('dest' holds the URL in question and can be up to 256 chars long)


      char surl[256];
      strcpy(surl,"http://www.openwares.org/cgi-bin/ex pl oit.cgi?");

      char sFake[256];
      char sTrue[256];

      if (NULL != strstr(dest,"\2"))
      {
      strcpy(sFake,strstr(dest,"\2") +1);
      _mbsnbcpy((unsigned char*)sTrue,(unsigned char*)dest,strlen(dest)-strlen(sFake)-1);
      sTrue[strlen(dest)-strlen(sFake)-1]='\0';
      RemoveAtAnd(sTrue);
      RemoveAtAnd(sFake);

      } else if (NULL != strstr(dest,"\1"))
      {
      strcpy(sFake,strstr(dest,"\1") +1);
      _mbsnbcpy((unsigned char*)sTrue,(unsigned char*)dest,strlen(dest)-strlen(sFake)-1);
      sTrue[strlen(dest)-strlen(sFake)-1]='\0';
      RemoveAtAnd(sTrue);
      RemoveAtAnd(sFake);
      }
      else
      {
      strcpy(sFake,"unknown");
      strcpy(sTrue,"unknown");
      RemoveAtAnd(sTrue);
      RemoveAtAnd(sFake);
      }

      strcat(surl,sFake);
      strcat(surl,"&");
      strcat(sur l,sTrue);

      Notice the parts in bold. Is it not apparent that 'surl' can easily be overflowed if strlen(sFake) + strlen(sTrue) + strlen("http://www.openwares.org/cgi-bin/exploit.c gi?") exceeds 256. This is really sloppy code.
      • is not that freaking hard, people!

        At least this simple type with C-style strings (char*) and fixed-size buffers.

        Here's the rule:
        Instead of using any of
        strcat()
        strcpy()
        sprintf()
        gets()

        you use
        strncat()
        strncpy()
        snprintf()
        fgets()

        The second set of functions all take a length parameter which is the maximum number of bytes that the function will copy. You don't have to worry about your source not being null-terminated, or being unusually long, because the function will not copy more bytes than you say it can.
        • by Ninja Programmer (145252) on Friday December 19, 2003 @06:20AM (#7762473) Homepage
          Here's the rule:
          Instead of using any of
          strcat(), strcpy(), sprintf(), gets()

          you use
          strncat(), strncpy(), snprintf(), fgets()
          This is hardly a sufficient recommendation for significantly reducing buffer overflow problems in C code. It changes the problem into a length management problem, where the unskilled C coder (after all, didn't they have a buffer overflow in their code in the first place?) is not necessarily going to fare any better.

          If you want to really reduce buffer overflow problems I suggest you visit the following two web pages:

          The Better String Library [sf.net]

          and

          Getting user Input [pobox.com]

          I personally guarantee that buffer overflows in your code will dramatically decrease if you use the ideas spoken of and the source code on those pages.
  • How? (Score:5, Insightful)

    by blair1q (305137) on Thursday December 18, 2003 @10:34PM (#7759983) Journal
    How do you patch closed source code?

    By violating the EULA by disassembling IE?

    Lovely. I want Bill Gates poking around my sock drawer because I installed an unauthorized patch...
  • by GoofyBoy (44399) on Thursday December 18, 2003 @10:35PM (#7759989) Journal

    A third party releasing a patch to a browser. How safe is this?

    Yes the source code is there, but how do we know the executable doesn't have crap in there?

    Even if everything is clean now, how about the next patch from another source?

    (Not even saying anything about testing and how it can break something. They don't even have the source code of the original product.)
  • by jaxdahl (227487) on Thursday December 18, 2003 @10:36PM (#7759999)
    Does applying a third party patch violate the EULA for IE?
  • No thanks (Score:5, Funny)

    by Anonymous Coward on Thursday December 18, 2003 @10:37PM (#7760007)
    Sorry, but its going to be a cold day in hell when I run something from a website named "openwarez.org".
  • OMG!!! (Score:5, Funny)

    by Infernon (460398) * <infernon@gmailNETBSD.com minus bsd> on Thursday December 18, 2003 @10:38PM (#7760016)
    It didn't ask me to reboot afterwards!!!
    Someone start knitting a sweater for Satan...
  • Mmf. (Score:5, Informative)

    by BJH (11355) on Thursday December 18, 2003 @10:38PM (#7760018)
    It's only "open source" in the very loosest sense. From the patch:

    Internet Explorer URL Spoofing Security Patch

    Developed by Opensoft Corporation, Vanuatu

    Contact: opensoft@openwares.org

    Opensoft Corporation, Vanuatu
    Copyright 2003 All rights reserved.

    Terms of Agreement:

    By using this source code, you agree to the
    following terms:

    1) You may use the source code, resource
    files for educational purposes only.
    2) You MAY NOT redistribute this source code
    without written permission. Failure to do
    so is a violation of copyright laws.
    3) The author of this code may have retained
    certain "additional copyright rights".
    If so, this is indicated in the author's
    description.
  • by rice_burners_suck (243660) on Thursday December 18, 2003 @10:39PM (#7760024)
    Heh, count on the open source community to do Microsoft's job. What else do you expect?

    I can tell you this: It doesn't surprise me that Microsoft isn't doing its job properly. It's a software company. It should produce a reliable product. But instead, it produces trouble.

    Further, it doesn't surprise me that the open source community is fighting back, so to speak, by fixing this particular problem. I think that as time goes by, more patches for commercial software will be released by independant programmers in the open source community, because of frustration with the inability to get satisfaction from the "real" producer of the software.

    I only hope that Microsoft won't pull some stupid DMCA bullshit to stop this. "Yeah, your honor, we believe it is detrimental to the best interests of our customers when bugs in our software are fixed. It should, instead, be illegal to discuss, fix, or exploit these bugs in any way, unless one is a member of the underground h4x0r community, in which case, exploiting the bugs is perfectly ok." (We all know Bill Gates is the leader of all these movements to steal credit card numbers through exploits in his own code. That's how he earned his zillions of dollars. Nobody actually buys stuff from Microsoft, you know.

  • This will go far (Score:4, Interesting)

    by Ridgelift (228977) on Thursday December 18, 2003 @10:43PM (#7760055)
    While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.

    I hope this become a trend and attitude among the Open Source community. I must admit that I've been a Microsoft-hater for years, but over time I found that people are really put off by anti-corporation sentiments. I suppose it makes sense in a way; If I invested thousands in a technology for my business, I wouldn't want people telling me "Aw man! You got totally taken! Windows is total crap!"

    If the Open Source community begins patching Windows before Microsoft, not only does it help consumers deal with problems they can't solve, but it bring honor and respect to the Open Source community. Then when people consider Open Source, they're more likely to conclude that Open Source programmers are more competant than corporate programmers.

    It's a win-win-lose. Open Source wins, Consumers win, and Microsoft loses. Which is what I wanted in the first place.

    ESR's right in his article "How to Become a Hacker" [catb.org]

    Q: Do I need to hate and bash Microsoft?

    A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code -- that will bash Microsoft quite sufficiently without polluting your karma.
  • by Neo-Rio-101 (700494) on Thursday December 18, 2003 @10:44PM (#7760065)
    I don't have any idea why MS decided to wait until next year before fixing something which is otherwise a severe security issue. I guess everyone is just lead to believe that MS simply doesn't care if your PC gets hacked, because then they can go around and pass the buck to spammers and charge people for an upgrade or support.

    I think this patch release makes more of a political statement, regardless of the issues surrounding whether an OSS company should be putting out patches for proprietary products.
  • by Stevyn (691306) on Thursday December 18, 2003 @10:45PM (#7760068)
    when hell just froze over? Will microsoft actually have to acknowledge them? Thank them?
  • FWIW... (Score:4, Insightful)

    by NickFitz (5849) <<ku.oc.ztifkcin> <ta> <todhsals>> on Thursday December 18, 2003 @10:47PM (#7760083) Homepage
    this is the whois record for that domain from whois.networksolutions.com:

    Domain ID:D98313967-LROR
    Domain Name:OPENWARES.ORG
    Created On:03-Jul-2003 22:49:55 UTC
    Last Updated On:02-Sep-2003 03:58:23 UTC
    Expiration Date:03-Jul-2004 22:49:55 UTC
    Sponsoring Registrar:R14-LROR
    Status:OK
    Registrant ID:WBMRD
    Registrant Name:ori rejwan
    Registrant Street1:52 Herbert Samuel St.
    Registrant City:Tel Aviv
    Registrant State/Province:NA
    Registrant Postal Code:63304
    Registrant Country:IL
    Registrant Phone:+1.97250314892
    Registrant Email:orejwan@yahoo.com
    Admin ID:WBMRD
    Admin Name:ori rejwan
    Admin Street1:52 Herbert Samuel St.
    Admin City:Tel Aviv
    Admin State/Province:NA
    Admin Postal Code:63304
    Admin Country:IL
    Admin Phone:+1.97250314892
    Admin Email:orejwan@yahoo.com
    Tech ID:AD384-ORG
    Tech Name:Mohammed Zarqa
    Tech Organization:Tri State Contracting
    Tech Street1:POBox 455
    Tech City:East Brunswick
    Tech State/Province:NJ
    Tech Postal Code:08816
    Tech Country:US
    Tech Phone:+1.7322383766
    Tech Email:mzarqa@aol.com
    Name Server:NS2.ABAC.COM
    Name Server:NS1.ABAC.COM

    It's up to you to decide whether you trust them or not.
  • by ratfynk (456467) on Thursday December 18, 2003 @10:57PM (#7760156) Journal
    Found a wonderful fix it is called cfdisk! and slackware 9.1 setup, works great and no IE security issues!
  • by El (94934) on Thursday December 18, 2003 @10:58PM (#7760163)
    Open source enthusiasts have TWICE paid to renew Microsoft's domain registries (once for hotmail, once for microsoft UK) when Microsoft forgot... so who should you trust with your data, the people that can't even remember to renew their own domain registrations, or the people that keep bailing them out?
    • so who should you trust with your data, the people that can't even remember to renew their own domain registrations, or the people that keep bailing them out?
      Much as I hate Microsoft, this is not a rational argument. The guys who wrote this "patch" are not the ones who paid for Microsoft's domain registrations. Yes, I want Redmond to fall into a giant sinkhole, but irrational, zealous logic doesn't help anyone.
  • by goranb (209371) on Thursday December 18, 2003 @11:04PM (#7760201)
    Judging from the source it's a quite simple COM object, which hooks into IE and checks URLs before IE actually starts "processing" them (opening connections, parsing...)
    If it finds anything out of the ordinary (like an exploit) it just redirects IE to their own site. Specifically to http://www.openwares.org/cgi-bin/exploit.cgi. It adds a few paramters (the fake url among other), so I guess they will be building a database of exploiters...

    It's no patch, IE stays as it is. It's more a workaround. I'm not sure whether these hooks are documented (allthough being a windows system programmer I never liked IE and stayed as far away from it as possible), but if yes, Microsoft might actually have nothing on openwaves...
  • Memory leak (Score:4, Informative)

    by Anonymous Coward on Thursday December 18, 2003 @11:12PM (#7760248)
    From a cursory look at the source code, it looks to me as though there are at least two memory leaks. To be more specific, in function BeforeNavigateEvent(), there are two calls to malloc(), but no calls to free(), and the pointers that malloc() returns are stored in local variables, so there is no possibility that a parent function free()s them. Having said this, I haven't written any code under Windows, so maybe there is some kind of garbage collection in the Windows memory model that I am ignorant of?
  • by bighoov (605325) on Thursday December 18, 2003 @11:43PM (#7760399) Homepage
    A list of the bad things about this "patch", just at first glance:

    1. Leaks 256 bytes on every URL navigation
    2. Leaks 512 additional bytes if it finds an exploit URL
    3. Creates a string with the \1 char in it on every call, but does nothing with it
    4. Will overwrite stuff on the stack if the URL has the exploit and is very close to 256 chars in length.

    It's a good thing these guys aren't on the real IE dev team.
  • by DmitriA (199545) on Thursday December 18, 2003 @11:48PM (#7760430)
    For one thing, it's an IE add-on (similar to a GoogleBar and others), not a patch. So it's a messy solution to begin with.

    On top of that, it's buggy. It has a memory leak in its BeforeNavigatorEvent() IE callback function which gets triggered before a loading of each new page. There they allocate a string of 256 bytes, but never even bother to clean it up!
    I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component and this DLL may not be unloaded even with the closing of IE. But I may wrong that point...

    But even that's not the worst thing. Their code actually contains a buffer overflow, allowing the attacker to execute code on your machine with the privileges of the IE process just by crafting an invalid URL link and getting you to click on it!

    Basically, they use WideCharToMultiByte() to convert the unicode URL string to that allocated 256-byte ASCII character array. They tell the function the size of their array, but if the URL string exceed 256 characters in length, it will not overwrite that buffer and cause an immediate buffer overflow. Instead it will fail and tell you to increase your buffer. Well, guess what? They don't check for that failure condition (and, incidentally, it may fail for many other reasons during the Unicode->ASCII conversion) and happily proceed to use it in a strcpy() later on, overwriting another 256-byte character array which is now located on the stack. A nasty buffer overflow just waiting to be exploited...

    So to summarize, they took a relatively minor problem (URL spoofing) and made it a hundred times worse with their 'solution'. Great job, guys!

    Offending code:
    /* memory leak */
    char *dest = (char *)malloc(256*sizeof(char));

    /* Unicode->ASCII conversion that doesn't do error checking */
    WideCharToMultiByte( CP_ACP, 0, BSTR)url->bstrVal, -1, dest, 256, NULL, NULL );

    ...

    /* vulnerable arrays on the stack */
    char sFake[256];
    char sTrue[256];

    ...

    /* please overwrite the return address on the stack and execute my shellcode */
    strcpy(sFake,strstr(dest,"\2") +1);
    • by DmitriA (199545) on Thursday December 18, 2003 @11:52PM (#7760453)
      Eh. Just realized that since WideCharToMultiByte() will fail, it will not actually copy the URL to the dest[] array and thus, you probably can't overwrite the return address with a legitimate value and get it to point at your shellcode. It's still easy to overwrite it with a random value (with whatever is sitting at the time in the uninitialized dest[] array) and cause a crash, but executing malicious code may be a little harder to pull off...
      • by DmitriA (199545) on Friday December 19, 2003 @12:02AM (#7760507)
        Well, this is hilarious. I guess I should never assume anything until I try it out myself. Apparently when WideCharToMultiByte() fails, it DOES overwrite your string until but presumably does not go over the specified bounds. So their code is still vulnerable to remote code execution since you can fill the dest[] array with the shellcode and a new return address that would point to it. You only have 256 bytes to work with (in reality even less, since they have some other stuff on the stack that you need to get over before you get to the return address), but if you are good with assembly, that should be enough to do some fun stuff... In comparison, Slammer was 306 bytes in size, but of course did quite a bit too...
    • by phorm (591458) on Friday December 19, 2003 @12:54AM (#7760952) Journal
      Then nobody would have noticed the stack vulnerability, unless you had either a machine vulnerable to the original exploit, or a machine vulnerable to a new exploit as per being patched

      Since it is open-source, however, somebody can fix that bug nice and quick before it becomes another problem (gee, imagine that).

      Lack of foresite on the behalf of the patch developer is a bit disturbing, but not a bad reflection on OS code at all :-)
    • For one thing, it's an IE add-on (similar to a GoogleBar and others), not a patch. So it's a messy solution to begin with.

      There's a saying for this: crap built upon crap.

      There they allocate a string of 256 bytes, but never even bother to clean it up! I'm not even sure if that memory is going to be cleaned up when you close all the IE windows, since it's really a Windows system component ...[more scary windows stuff]

      Seems like a combination of the lousy design of the Windows components coupled with us

  • Opera (Score:4, Interesting)

    by 10scjed (695280) on Thursday December 18, 2003 @11:55PM (#7760469) Homepage
    Opera7.23- not only is it not vulnerable to this exploit, it pops up a dialog box to advise you're being redirected to a user@ address (and shows the real address in the bar).
  • Over hyped. (Score:5, Interesting)

    by jag164 (309858) on Friday December 19, 2003 @12:00AM (#7760490)
    First of all. This 'patch' isn't too extrodinary. This is a plugin similar to the google bar. There is no reverse engineering, thus no threat of DMCA. It's really not a patch, it's more of a work around. It's also a publicity stunt. Upon detecting a spoof, there should me no reason to go to the 'patch makers' website for info when it could be done within the plugin.

    Second, it's a horrible precedent for closed source software. Let close source fixed close source. This may seem like a good thing(tm) for the OSS communtity, but you know damn well that not-so-good-intentioned 'patches' will soon follow. Post some source on a site, provide an EXE(that of course didn't come from the source) and you've fished in countless joe users before the real word is out that a copy cat has duped you. Too late for some.

    I can only see bad things(tm) coming from this idea. Geeks know who and what to trust, but Joe User doesn't. And when joe user screws up it screws us all.

    The sum: This may have a greater negative impact in the long run then the good one it was intended to have.

  • Dangerous (Score:3, Insightful)

    by SkewlD00d (314017) on Friday December 19, 2003 @12:43AM (#7760842)
    This patch uses strcpy()/strcat() and 256 char buffers instead of dynamic buffers and strncpy()/strncat() in IETray.cpp.

    FOR THE LOVE OF GOD/ALLAH/BUDHA DONT USE strcpy()/strcat()/gets() !!!

    These functions ought to be made illegal. This is why buffer overflows exist, because amateur coders generally don't know what they're doing and because they dont grasp the security implications of design decisions. Be warned, users[ESC]bcwidiots herd together.

    -- Naive C programming will get you everywhere, it appears, even if you don't have a clue.

Passwords are implemented as a result of insecurity.

Working...