more.msie.5.favicon.ico.txt

1999-08-17T00:00:00
ID PACKETSTORM:11924
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 3 May 1999 16:06:10 -0300  
From: Flavio Veloso <flaviovs@CENTROIN.COM.BR>  
To: BUGTRAQ@netspace.org  
Subject: MSIE 5 favicon bug  
  
Hi folks.  
  
When MSIE 5 users bookmark a page, the browser will request a file  
named "favicon.ico" which is to be used in the "Favorites" menu of the  
browser. Unfortunately MSIE 5 doesn't check the file integrity and  
crash if faced with a bad-formed icon file.  
  
Upon crashing the stack gets filled with information from the icon  
file itself, so it may be possible to run code on the client machine,  
tough I didn't test it.  
  
Microsoft was notified twice about this issue via the "Report a Bug"  
form on their web site. The first time about one month ago, the second  
time about two weeks ago. I didn't receive back any reply.  
  
More information about this bug (plus another privacy issue about the  
"favicon.ico" file) is available at  
http://web.cip.com.br/flaviovs/sec/favicon/index.html.  
  
--  
Flavio  
  
-------------------------------------------------------------------------  
  
[ http://web.cip.com.br/flaviovs/sec/favicon/index.html ]  
  
<html>  
<head>  
<title>MSIE 5 favicon bug</title>  
  
<script language="JavaScript">  
function bookmarkit()  
{  
if ( navigator.appVersion.indexOf("MSIE 5") == -1 )  
{  
alert("This only works on MSIE 5");  
return false;  
}  
  
if ( confirm("This will crash MSIE!") )  
window.external.AddFavorite(location.href, document.title);  
return false;  
}  
</script>  
  
</head>  
  
<body>  
<h1>MSIE 5 favicon bug</h1>  
  
<h2>Description</h2>  
  
There's a bug in MSIE 5 when handling the <code>favicon.ico</code>  
file downloaded from a web site. By creating a icon file with bad  
data, it's possible to crash MSIE 5. The stack is filled with  
information from the icon file so it <i>may be</i> possible to create  
an icon file with data which would end executing code on the client  
machine.  
  
<blockquote>  
<h3><i>The <code>favicon.ico</code> icon file</i></h3>  
  
<i>The <code>favicon.ico</code> file is an icon file in the  
MS-proprietary icon file format. It is downloaded by MSIE 5 when the  
user asks it to add the page's URL to his/her "Favorites"  
list. When the user selects to add the URL, MSIE 5 downloads the file  
and shows the icon on the "Favorites" menu. The request for  
the <code>favicon.ico</code> file is first done on the same path of  
the current URL. If the file is not found, MSIE 5 will backup one  
directory in the directory hierarchy and try again. It will do this  
until it finds the file or reaches the web server root (e.g. if you  
try to bookmark this page, MSIE 5 will look for  
<code>favicon.ico</code> in  
<code>http://web.cip.com.br/flaviovs/sec/favicon/</code>,  
<code>http://web.cip.com.br/flaviovs/sec/</code>,  
<code>http://web.cip.com.br/flaviovs/</code> and  
<code>http://web.cip.com.br/</code>).</i>  
  
</blockquote>  
  
<h2>Impact</h2>  
  
MSIE 5 will crash when trying to interpret/show such icon file. It's  
unknown if it's possible to create an icon file which will trigger  
code execution on the client machine, but evidences show that it may  
be possible (i.e. it looks like a stack buffer overflow).  
  
<h2>Workaround</h2>  
  
It seems it's not possible to turn off the <code>favicon.ico</code>  
loading feature. Thus the only workaround is not to add any  
non-trusted site to the "Favorites" list and wait for a  
patch from Microsoft.  
  
<h2>Example</h2>  
  
<p>If you're using MSIE 5 with Javascript enabled, you can feel <a  
href="" onClick="bookmarkit(); return false">the bug in  
action</a>. Otherwise just try to bookmark this page (note: this will  
<i>crash</i> your browser).  
  
<p><a href="favicon.ico">Here's</a> the <code>favicon.ico</code> file  
that triggers the bug. It's composed of an bogus header followed by  
lots of "A" characters.  
  
  
<h2>What Microsoft is Doing</h2>  
  
Apparently, nothing. I reported the bug twice, the first one about one  
month ago, the last time about two weeks ago. I didn't receive any  
reply.  
  
<h2>Disclaimer</h2>  
  
All information contained in this page is for EDUCATIONAL PURPOSES  
ONLY. The author of this page can not be made responsible for any  
damage caused by the use or minuse of information here contained.  
  
<h2>Related Documents</h2>  
  
<ul>  
<li><a  
href="http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp">Web  
Workshop Getting Ready for Internet Explorer 5</a></li>  
<li><a href="http://www.apacheweek.com/issues/99-04-09">Apache Week:  
9th April 1999</a></li>  
<li><a href="privacy.html">Privacy Issues about the <code>favicon.ico</code>  
File</a></li>  
</ul>  
  
<h2>About</h2>  
  
This bug was discovered in april 1999 by Flavio Veloso <<a  
href="mailto:flaviovs@centroin.com.br">flaviovs@centroin.com.br</a>>.  
  
</body>  
</html>  
  
-------------------------------------------------------------------------  
  
Date: Tue, 4 May 1999 14:15:56 -0300  
From: Flavio Veloso <flaviovs@CENTROIN.COM.BR>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
On Mon, 3 May 1999, Kurt Seifried wrote:  
  
> > When MSIE 5 users bookmark a page, the browser will request a file  
> > named "favicon.ico" which is to be used in the "Favorites" menu of the  
> > browser. Unfortunately MSIE 5 doesn't check the file integrity and  
> > crash if faced with a bad-formed icon file.  
> >  
> > Upon crashing the stack gets filled with information from the icon  
> > file itself, so it may be possible to run code on the client machine,  
> > tough I didn't test it.  
>  
> Doesn't work for me. NT Server 4.0, SP4, MSIE 5.0 (5.00.2314.1003). Tried  
> repeatedly.  
  
Due to some reports, it seems that NT users aren't affected. The GPF  
is triggered in the USER.EXE module which I bet is different from the  
one on Win 95/98, where I did my tests. You're the first one to report  
that OSR/2 isn't affected which sounds very strange to me, since it  
came (I believe) before 98.  
  
> > Microsoft was notified twice about this issue via the "Report a Bug"  
> > form on their web site. The first time about one month ago, the second  
> > time about two weeks ago. I didn't receive back any reply.  
>  
> Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE 5.0,  
> no crash either... if anyone can replicate this I'd be curious to know. How  
> have you gone about testing this? Which platform(s)? Win98 only?  
  
I tested it in two different machines:  
  
* Windows 95 + IE 5.00.2314.1003  
  
* Windows 98 + IE 5.00.2314.1003IS (the "IS" is because this is  
a Portuguese version of the browser, I guess)  
  
Both crashed miserably.  
  
--  
Flavio  
  
-------------------------------------------------------------------------  
  
Date: Wed, 5 May 1999 11:10:52 +1000  
From: Ted.Buchan.330895@ARMY.DEFENCE.GOV.AU  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
>Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE  
5.0,  
>no crash either... if anyone can replicate this I'd be curious to know.  
How  
>have you gone about testing this? Which platform(s)? Win98 only?  
  
  
I tried it from a Windows 95 OSR2 (v4.0.1111) machine with MSIE5  
(v5.00.2014.0216) and  
about 5 seconds after adding  
http://web.cip.com.br/flaviovs/sec/favicon/index.html to my  
favourites I got a gpf in USER.EXE just as Flavio had stated...  
  
-------------------------------------------------------------------------  
  
Date: Thu, 6 May 1999 16:32:39 -0400  
From: Chris DeRose <derosec@MEDIAONE.NET>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
I tried it from my Win98 (4.10.1998) machine, running MSIE 5  
(5.00.2314.1003) and I too got a GPF.  
  
-Chris DeRose  
-derosec@mediaone.net  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 May 1999 12:22:58 +0800  
From: Lee Chia Ling <leecl@ASIANSOURCES.COM>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
Dear all,  
  
Tested from Win98 with MSIE 5.0 (v5.00.2014.0216) and it crashed  
as discribed.  
  
--- cllee  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 May 1999 19:39:11 +0100  
From: Cliff Rowley <dozprompt@NOSPLASH.FORCE9.CO.UK>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
Also works with:  
  
Win98 4.10.1998  
IE5 5.00.2014.0216  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 May 1999 20:24:45 -0300  
From: Flavio Veloso <flaviovs@CENTROIN.COM.BR>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
On Fri, 7 May 1999, Jason wrote:  
  
(...)  
> "The request for the favicon.ico file is first done on the same path of the  
> current URL. If the file is not found, MSIE 5 will backup one directory in  
> the directory hierarchy and try again. It will do this until it finds the  
> file or reaches the web server root (e.g. if you try to bookmark this page,  
> MSIE 5 will look for favicon.ico in  
> http://web.cip.com.br/flaviovs/sec/favicon/,  
> http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and  
> http://web.cip.com.br/)."  
>  
> My experience is based on the following platform information:  
>  
> Windows 98 with all available updates (3717  
> MSIE 5: 5.00.2014.0216IC 128-bit  
>  
> Contrary to the information given at the cited URL, my best attempts at  
> recreating this alleged phenomenon have been futile. In addition, I am  
> fairly confident, based on every log analysis I have performed, that this is  
> wrong.  
(...)  
  
Hi.  
  
You're absolutely right. Actually I didn't test that and trusted in  
the information given by Apacheweek (see  
http://www.apacheweek.com/issues/99-04-09).  
  
I'm fixing the page now.  
  
--  
Flavio  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 May 1999 15:46:13 -0700  
From: blake.mitchell@AUTODESK.COM  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
  
Hey,  
  
I happened to have IE5 installed on solaris:  
  
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.5.1 sun4m; X11)  
  
So I gave it a shot, it appears to not even attempt to get the favicon.ico  
file. I even put in the URL  
http://web.cip.com.br/flaviovs/sec/favicon/favicon.ico, but all I get is a  
broken image icon. So anyway, no crash on solaris.  
  
Blake  
  
-------------------------------------------------------------------------  
  
Date: Fri, 7 May 1999 17:45:18 -0500  
From: Jason <lists@plasmic.com>  
To: BUGTRAQ@netspace.org  
Subject: Re: MSIE 5 favicon bug  
  
Aloha.  
  
Below is an exact copy of the information found on the web site Mr.  
Veloso provided us with:  
  
"The request for the favicon.ico file is first done on the same path of the  
current URL. If the file is not found, MSIE 5 will backup one directory in  
the directory hierarchy and try again. It will do this until it finds the  
file or reaches the web server root (e.g. if you try to bookmark this page,  
MSIE 5 will look for favicon.ico in  
http://web.cip.com.br/flaviovs/sec/favicon/,  
http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and  
http://web.cip.com.br/)."  
  
My experience is based on the following platform information:  
  
Windows 98 with all available updates (3717  
MSIE 5: 5.00.2014.0216IC 128-bit  
  
Contrary to the information given at the cited URL, my best attempts at  
recreating this alleged phenomenon have been futile. In addition, I am  
fairly confident, based on every log analysis I have performed, that this is  
wrong.  
  
This is most obvious by creating a large hierarchy of directories like  
the following URL (note: there is nothing at this URL but an empty dir):  
  
http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/  
  
I supposed that if what Flavio asserted was true, then IE5 would bombard  
the server with a plethora of requests for 'favicon.ico' when I added it to  
my 'Favorites'.  
  
Here is a sample of what was generated in my apache log file:  
  
I open up the apache-generated directory listing web page:  
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200  
733  
  
After bookmarking the site, IE tries to find favicon.ico in the  
_current_ directory:  
"GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico  
HTTP/1.1" 404 8999  
  
Directly thereafter (probably virtually simultaneous connections), IE5  
attempts to retrieve favicon.ico from the _root_ directory of my web server:  
"GET /favicon.ico HTTP/1.1" 404 330  
  
There are no requests in between the ones shown above.  
  
Implications:  
  
- This vulnerability may only be exploited by the owner of the current  
directory or the owner of the document root. This does not diminish its core  
significance, but is definitely a fundamental point in the understanding of  
this bug.  
  
- Adding 'Favorites' does not generate as much traffic or as many requests  
as originally thought.  
  
  
Regards,  
Jason Sloderbeck  
  
  
+===========================-------------------- - - - - - -  
| University of Missouri/Kansas City - Computer Science/Telecom  
| hom: 816/452.8937 e: jsloder@cstp.umkc.edu url: www.umkc.edu  
| Plasmic Computer Systems - Chief Information Officer  
| off: 816/292.2870 e: jason@plasmic.com url: www.plasmic.com  
| Midwest Internet Services - Sr. Systems Administrator  
| cel: 816/820.9279 e: sloderbeck@mwis.net url: www.mwis.net  
+===========================-------------------- - - - - - -  
  
----- Original Message -----  
>From: Flavio Veloso <flaviovs@CENTROIN.COM.BR>  
To: <BUGTRAQ@netspace.org>  
Sent: Monday, May 03, 1999 2:06 PM  
Subject: MSIE 5 favicon bug  
  
  
> Hi folks.  
>  
> When MSIE 5 users bookmark a page, the browser will request a file  
> named "favicon.ico" which is to be used in the "Favorites" menu of the  
> browser. Unfortunately MSIE 5 doesn't check the file integrity and  
> crash if faced with a bad-formed icon file.  
>  
> Upon crashing the stack gets filled with information from the icon  
> file itself, so it may be possible to run code on the client machine,  
> tough I didn't test it.  
>  
> Microsoft was notified twice about this issue via the "Report a Bug"  
> form on their web site. The first time about one month ago, the second  
> time about two weeks ago. I didn't receive back any reply.  
>  
> More information about this bug (plus another privacy issue about the  
> "favicon.ico" file) is available at  
> http://web.cip.com.br/flaviovs/sec/favicon/index.html.  
>  
> --  
> Flavio  
>  
  
-------------------------------------------------------------------------  
  
Date: Thu, 27 May 1999 18:18:39 -0700  
From: aleph1@UNDERGROUND.ORG  
To: BUGTRAQ@netspace.org  
Subject: Microsoft Security Bulletin (MS99-018)  
  
The following is a Security Bulletin from the Microsoft Product Security  
Notification Service.  
  
Please do not reply to this message, as it was sent from an unattended  
mailbox.  
********************************  
  
Microsoft Security Bulletin (MS99-018)  
--------------------------------------  
  
Patch Available for "Malformed Favorites Icon" Vulnerability  
  
Originally Posted: May 27, 1999  
  
Summary  
=======  
Microsoft has released a single patch that eliminates two security  
vulnerabilities in Microsoft (r) Internet Explorer 4.0 and 5. The first  
potentially could allow arbitrary code to be run on a user's computer. The  
second potentially could allow the local hard drive to be read. A fully  
supported patch is available to eliminate both vulnerabilities, and  
Microsoft recommends that affected customers download and install it, if  
appropriate.  
  
Issue  
=====  
This update eliminates two vulnerabilities:  
- The "Malformed Favorites Icon" vulnerability. The Favorites  
feature allows IE users to keep a list of their favorite web  
sites. In IE 5, the Favorites list can contain icons that are  
supplied by the associated web sites. However, there is an  
unchecked buffer in the implementation. A specially-malformed icon  
could overrun the buffer and be used to run arbitrary code on the  
user's computer. This vulnerability only affects IE 5 when run on  
Windows 95 or 98; it does not affect Windows NT systems.  
- The "Legacy ActiveX Control" vulnerability. An ActiveX control  
that was used by previous versions of IE also was included in IE 4.0  
and IE 5 even though it is not used by either. It could be misused  
to allow a web site to read the user's local hard drive. The update  
eliminates the vulnerability by removing the control.  
  
While there are no reports of customers being adversely affected by these  
vulnerabilities, Microsoft is proactively releasing the patch to allow  
customers to take appropriate action to protect themselves against it.  
  
Affected Software Versions  
==========================  
- Microsoft Internet Explorer 4.0 and 5.0  
  
Note: The patch, provided below in What Customers Should Do, will determine  
the version of IE and the platform on which it is installed, and will apply  
only the appropriate fix. As a result, the single patch below is  
appropriate for use by customers who are affected by either or both of the  
vulnerabilities.  
  
What Microsoft is Doing  
=======================  
Microsoft has released patches that fix the problem identified. The patches  
are available for download from the sites listed below in What Customers  
Should Do.  
  
Microsoft also has sent this security bulletin to customers subscribing  
to the Microsoft Product Security Notification Service. See  
http://www.microsoft.com/security/services/bulletin.asp for more  
information about this free customer service.  
  
Microsoft has published the following Knowledge Base (KB) article on this  
issue:  
- Microsoft Knowledge Base (KB) article Q231450,  
Update Available for the "Malformed Favorites Icon" Issue in  
Internet Explorer 5,  
http://support.microsoft.com/support/kb/articles/q231/4/50.asp  
- Microsoft Knowledge Base (KB) article Q231452,  
Update Available for "Legacy ActiveX Control" Issue in Internet  
Explorer 5,  
http://support.microsoft.com/support/kb/articles/q231/4/52.asp  
  
(Note: It might take 24 hours from the original posting of this bulletin for  
the KB article to be visible in the Web-based Knowledge Base.)  
  
What Customers Should Do  
========================  
Microsoft highly recommends that customers evaluate the degree of risk that  
this vulnerability poses to their systems and determine whether to download  
and install the patch. As noted above, the patch is appropriate for use on  
systems that are affected by either or both of the vulnerabilities. The  
patch can be found at  
www.microsoft.com/windows/ie/security/favorites.asp  
  
More Information  
================  
Please see the following references for more information related to this  
issue.  
- Microsoft Security Bulletin MS99-018,  
Patch Available for "Malformed Favorites Icon" Vulnerability,  
http://www.microsoft.com/security/bulletins/ms99-018.asp.  
- Microsoft Knowledge Base (KB) article Q231450,  
Update Available for the "Malformed Favorites Icon" Issue in  
Internet Explorer 5,  
http://support.microsoft.com/support/kb/articles/q231/4/50.asp.  
- Microsoft Knowledge Base (KB) article Q231452,  
Update Available for "Legacy ActiveX Control" Issue in Internet  
Explorer 5,  
http://support.microsoft.com/support/kb/articles/q231/4/52.asp  
  
Obtaining Support on this Issue  
===============================  
If you require technical assistance with this issue, please contact  
Microsoft Technical Support. For information on contacting Microsoft  
Technical Support, please see  
http://support.microsoft.com/support/contact/default.asp.  
  
Acknowledgments  
===============  
Microsoft acknowledges Flavio Veloso (flaviovs@centroin.com.br) for  
discovering the "Malformed Favorites Icon" vulnerability and reporting it  
to us, and Steve Loughran for discovering the "Legacy ActiveX Control"  
vulnerability and reporting it to us.  
  
Revisions  
=========  
- May 27, 1999: Bulletin Created.  
  
For additional security-related information about Microsoft products, please  
visit http://www.microsoft.com/security  
  
  
----------------------------------------------------------------------  
  
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"  
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER  
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS  
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS  
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,  
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,  
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR  
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE  
FOREGOING LIMITATION MAY NOT APPLY.  
  
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.  
  
*******************************************************************  
You have received this e-mail bulletin as a result of your registration  
to the Microsoft Product Security Notification Service. You may  
unsubscribe from this e-mail notification service at any time by sending  
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM  
The subject line and message body are not used in processing the request,  
and can be anything you like.  
  
For more information on the Microsoft Security Notification Service  
please visit http://www.microsoft.com/security/bulletin.htm. For  
security-related information about Microsoft products, please visit the  
Microsoft Security Advisor web site at http://www.microsoft.com/security.  
  
`