Date: Mon, 3 May 1999 16:06:10 -0300 From: Flavio Veloso To: BUGTRAQ@netspace.org Subject: MSIE 5 favicon bug Hi folks. When MSIE 5 users bookmark a page, the browser will request a file named "favicon.ico" which is to be used in the "Favorites" menu of the browser. Unfortunately MSIE 5 doesn't check the file integrity and crash if faced with a bad-formed icon file. Upon crashing the stack gets filled with information from the icon file itself, so it may be possible to run code on the client machine, tough I didn't test it. Microsoft was notified twice about this issue via the "Report a Bug" form on their web site. The first time about one month ago, the second time about two weeks ago. I didn't receive back any reply. More information about this bug (plus another privacy issue about the "favicon.ico" file) is available at http://web.cip.com.br/flaviovs/sec/favicon/index.html. -- Flavio ------------------------------------------------------------------------- [ http://web.cip.com.br/flaviovs/sec/favicon/index.html ] MSIE 5 favicon bug

MSIE 5 favicon bug

Description

There's a bug in MSIE 5 when handling the favicon.ico file downloaded from a web site. By creating a icon file with bad data, it's possible to crash MSIE 5. The stack is filled with information from the icon file so it may be possible to create an icon file with data which would end executing code on the client machine.

The favicon.ico icon file

The favicon.ico file is an icon file in the MS-proprietary icon file format. It is downloaded by MSIE 5 when the user asks it to add the page's URL to his/her "Favorites" list. When the user selects to add the URL, MSIE 5 downloads the file and shows the icon on the "Favorites" menu. The request for the favicon.ico file is first done on the same path of the current URL. If the file is not found, MSIE 5 will backup one directory in the directory hierarchy and try again. It will do this until it finds the file or reaches the web server root (e.g. if you try to bookmark this page, MSIE 5 will look for favicon.ico in http://web.cip.com.br/flaviovs/sec/favicon/, http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and http://web.cip.com.br/).

Impact

MSIE 5 will crash when trying to interpret/show such icon file. It's unknown if it's possible to create an icon file which will trigger code execution on the client machine, but evidences show that it may be possible (i.e. it looks like a stack buffer overflow).

Workaround

It seems it's not possible to turn off the favicon.ico loading feature. Thus the only workaround is not to add any non-trusted site to the "Favorites" list and wait for a patch from Microsoft.

Example

If you're using MSIE 5 with Javascript enabled, you can feel the bug in action. Otherwise just try to bookmark this page (note: this will crash your browser).

Here's the favicon.ico file that triggers the bug. It's composed of an bogus header followed by lots of "A" characters.

What Microsoft is Doing

Apparently, nothing. I reported the bug twice, the first one about one month ago, the last time about two weeks ago. I didn't receive any reply.

Disclaimer

All information contained in this page is for EDUCATIONAL PURPOSES ONLY. The author of this page can not be made responsible for any damage caused by the use or minuse of information here contained.

Related Documents

About

This bug was discovered in april 1999 by Flavio Veloso <flaviovs@centroin.com.br>. ------------------------------------------------------------------------- Date: Tue, 4 May 1999 14:15:56 -0300 From: Flavio Veloso To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug On Mon, 3 May 1999, Kurt Seifried wrote: > > When MSIE 5 users bookmark a page, the browser will request a file > > named "favicon.ico" which is to be used in the "Favorites" menu of the > > browser. Unfortunately MSIE 5 doesn't check the file integrity and > > crash if faced with a bad-formed icon file. > > > > Upon crashing the stack gets filled with information from the icon > > file itself, so it may be possible to run code on the client machine, > > tough I didn't test it. > > Doesn't work for me. NT Server 4.0, SP4, MSIE 5.0 (5.00.2314.1003). Tried > repeatedly. Due to some reports, it seems that NT users aren't affected. The GPF is triggered in the USER.EXE module which I bet is different from the one on Win 95/98, where I did my tests. You're the first one to report that OSR/2 isn't affected which sounds very strange to me, since it came (I believe) before 98. > > Microsoft was notified twice about this issue via the "Report a Bug" > > form on their web site. The first time about one month ago, the second > > time about two weeks ago. I didn't receive back any reply. > > Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE 5.0, > no crash either... if anyone can replicate this I'd be curious to know. How > have you gone about testing this? Which platform(s)? Win98 only? I tested it in two different machines: * Windows 95 + IE 5.00.2314.1003 * Windows 98 + IE 5.00.2314.1003IS (the "IS" is because this is a Portuguese version of the browser, I guess) Both crashed miserably. -- Flavio ------------------------------------------------------------------------- Date: Wed, 5 May 1999 11:10:52 +1000 From: Ted.Buchan.330895@ARMY.DEFENCE.GOV.AU To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug >Tried it from a couple of Win95 (OSR/2, no patches) machines with MSIE 5.0, >no crash either... if anyone can replicate this I'd be curious to know. How >have you gone about testing this? Which platform(s)? Win98 only? I tried it from a Windows 95 OSR2 (v4.0.1111) machine with MSIE5 (v5.00.2014.0216) and about 5 seconds after adding http://web.cip.com.br/flaviovs/sec/favicon/index.html to my favourites I got a gpf in USER.EXE just as Flavio had stated... ------------------------------------------------------------------------- Date: Thu, 6 May 1999 16:32:39 -0400 From: Chris DeRose To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug I tried it from my Win98 (4.10.1998) machine, running MSIE 5 (5.00.2314.1003) and I too got a GPF. -Chris DeRose -derosec@mediaone.net ------------------------------------------------------------------------- Date: Fri, 7 May 1999 12:22:58 +0800 From: Lee Chia Ling To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug Dear all, Tested from Win98 with MSIE 5.0 (v5.00.2014.0216) and it crashed as discribed. --- cllee ------------------------------------------------------------------------- Date: Fri, 7 May 1999 19:39:11 +0100 From: Cliff Rowley To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug Also works with: Win98 4.10.1998 IE5 5.00.2014.0216 ------------------------------------------------------------------------- Date: Fri, 7 May 1999 20:24:45 -0300 From: Flavio Veloso To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug On Fri, 7 May 1999, Jason wrote: (...) > "The request for the favicon.ico file is first done on the same path of the > current URL. If the file is not found, MSIE 5 will backup one directory in > the directory hierarchy and try again. It will do this until it finds the > file or reaches the web server root (e.g. if you try to bookmark this page, > MSIE 5 will look for favicon.ico in > http://web.cip.com.br/flaviovs/sec/favicon/, > http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and > http://web.cip.com.br/)." > > My experience is based on the following platform information: > > Windows 98 with all available updates (3717 > MSIE 5: 5.00.2014.0216IC 128-bit > > Contrary to the information given at the cited URL, my best attempts at > recreating this alleged phenomenon have been futile. In addition, I am > fairly confident, based on every log analysis I have performed, that this is > wrong. (...) Hi. You're absolutely right. Actually I didn't test that and trusted in the information given by Apacheweek (see http://www.apacheweek.com/issues/99-04-09). I'm fixing the page now. -- Flavio ------------------------------------------------------------------------- Date: Fri, 7 May 1999 15:46:13 -0700 From: blake.mitchell@AUTODESK.COM To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug Hey, I happened to have IE5 installed on solaris: User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; SunOS 5.5.1 sun4m; X11) So I gave it a shot, it appears to not even attempt to get the favicon.ico file. I even put in the URL http://web.cip.com.br/flaviovs/sec/favicon/favicon.ico, but all I get is a broken image icon. So anyway, no crash on solaris. Blake ------------------------------------------------------------------------- Date: Fri, 7 May 1999 17:45:18 -0500 From: Jason To: BUGTRAQ@netspace.org Subject: Re: MSIE 5 favicon bug Aloha. Below is an exact copy of the information found on the web site Mr. Veloso provided us with: "The request for the favicon.ico file is first done on the same path of the current URL. If the file is not found, MSIE 5 will backup one directory in the directory hierarchy and try again. It will do this until it finds the file or reaches the web server root (e.g. if you try to bookmark this page, MSIE 5 will look for favicon.ico in http://web.cip.com.br/flaviovs/sec/favicon/, http://web.cip.com.br/flaviovs/sec/, http://web.cip.com.br/flaviovs/ and http://web.cip.com.br/)." My experience is based on the following platform information: Windows 98 with all available updates (3717 MSIE 5: 5.00.2014.0216IC 128-bit Contrary to the information given at the cited URL, my best attempts at recreating this alleged phenomenon have been futile. In addition, I am fairly confident, based on every log analysis I have performed, that this is wrong. This is most obvious by creating a large hierarchy of directories like the following URL (note: there is nothing at this URL but an empty dir): http://www.plasmic.com/~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ I supposed that if what Flavio asserted was true, then IE5 would bombard the server with a plethora of requests for 'favicon.ico' when I added it to my 'Favorites'. Here is a sample of what was generated in my apache log file: I open up the apache-generated directory listing web page: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/ HTTP/1.1" 200 733 After bookmarking the site, IE tries to find favicon.ico in the _current_ directory: "GET /~jason/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/a/favicon.ico HTTP/1.1" 404 8999 Directly thereafter (probably virtually simultaneous connections), IE5 attempts to retrieve favicon.ico from the _root_ directory of my web server: "GET /favicon.ico HTTP/1.1" 404 330 There are no requests in between the ones shown above. Implications: - This vulnerability may only be exploited by the owner of the current directory or the owner of the document root. This does not diminish its core significance, but is definitely a fundamental point in the understanding of this bug. - Adding 'Favorites' does not generate as much traffic or as many requests as originally thought. Regards, Jason Sloderbeck +===========================-------------------- - - - - - - | University of Missouri/Kansas City - Computer Science/Telecom | hom: 816/452.8937 e: jsloder@cstp.umkc.edu url: www.umkc.edu | Plasmic Computer Systems - Chief Information Officer | off: 816/292.2870 e: jason@plasmic.com url: www.plasmic.com | Midwest Internet Services - Sr. Systems Administrator | cel: 816/820.9279 e: sloderbeck@mwis.net url: www.mwis.net +===========================-------------------- - - - - - - ----- Original Message ----- >From: Flavio Veloso To: Sent: Monday, May 03, 1999 2:06 PM Subject: MSIE 5 favicon bug > Hi folks. > > When MSIE 5 users bookmark a page, the browser will request a file > named "favicon.ico" which is to be used in the "Favorites" menu of the > browser. Unfortunately MSIE 5 doesn't check the file integrity and > crash if faced with a bad-formed icon file. > > Upon crashing the stack gets filled with information from the icon > file itself, so it may be possible to run code on the client machine, > tough I didn't test it. > > Microsoft was notified twice about this issue via the "Report a Bug" > form on their web site. The first time about one month ago, the second > time about two weeks ago. I didn't receive back any reply. > > More information about this bug (plus another privacy issue about the > "favicon.ico" file) is available at > http://web.cip.com.br/flaviovs/sec/favicon/index.html. > > -- > Flavio > ------------------------------------------------------------------------- Date: Thu, 27 May 1999 18:18:39 -0700 From: aleph1@UNDERGROUND.ORG To: BUGTRAQ@netspace.org Subject: Microsoft Security Bulletin (MS99-018) The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** Microsoft Security Bulletin (MS99-018) -------------------------------------- Patch Available for "Malformed Favorites Icon" Vulnerability Originally Posted: May 27, 1999 Summary ======= Microsoft has released a single patch that eliminates two security vulnerabilities in Microsoft (r) Internet Explorer 4.0 and 5. The first potentially could allow arbitrary code to be run on a user's computer. The second potentially could allow the local hard drive to be read. A fully supported patch is available to eliminate both vulnerabilities, and Microsoft recommends that affected customers download and install it, if appropriate. Issue ===== This update eliminates two vulnerabilities: - The "Malformed Favorites Icon" vulnerability. The Favorites feature allows IE users to keep a list of their favorite web sites. In IE 5, the Favorites list can contain icons that are supplied by the associated web sites. However, there is an unchecked buffer in the implementation. A specially-malformed icon could overrun the buffer and be used to run arbitrary code on the user's computer. This vulnerability only affects IE 5 when run on Windows 95 or 98; it does not affect Windows NT systems. - The "Legacy ActiveX Control" vulnerability. An ActiveX control that was used by previous versions of IE also was included in IE 4.0 and IE 5 even though it is not used by either. It could be misused to allow a web site to read the user's local hard drive. The update eliminates the vulnerability by removing the control. While there are no reports of customers being adversely affected by these vulnerabilities, Microsoft is proactively releasing the patch to allow customers to take appropriate action to protect themselves against it. Affected Software Versions ========================== - Microsoft Internet Explorer 4.0 and 5.0 Note: The patch, provided below in What Customers Should Do, will determine the version of IE and the platform on which it is installed, and will apply only the appropriate fix. As a result, the single patch below is appropriate for use by customers who are affected by either or both of the vulnerabilities. What Microsoft is Doing ======================= Microsoft has released patches that fix the problem identified. The patches are available for download from the sites listed below in What Customers Should Do. Microsoft also has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See http://www.microsoft.com/security/services/bulletin.asp for more information about this free customer service. Microsoft has published the following Knowledge Base (KB) article on this issue: - Microsoft Knowledge Base (KB) article Q231450, Update Available for the "Malformed Favorites Icon" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/50.asp - Microsoft Knowledge Base (KB) article Q231452, Update Available for "Legacy ActiveX Control" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/52.asp (Note: It might take 24 hours from the original posting of this bulletin for the KB article to be visible in the Web-based Knowledge Base.) What Customers Should Do ======================== Microsoft highly recommends that customers evaluate the degree of risk that this vulnerability poses to their systems and determine whether to download and install the patch. As noted above, the patch is appropriate for use on systems that are affected by either or both of the vulnerabilities. The patch can be found at www.microsoft.com/windows/ie/security/favorites.asp More Information ================ Please see the following references for more information related to this issue. - Microsoft Security Bulletin MS99-018, Patch Available for "Malformed Favorites Icon" Vulnerability, http://www.microsoft.com/security/bulletins/ms99-018.asp. - Microsoft Knowledge Base (KB) article Q231450, Update Available for the "Malformed Favorites Icon" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/50.asp. - Microsoft Knowledge Base (KB) article Q231452, Update Available for "Legacy ActiveX Control" Issue in Internet Explorer 5, http://support.microsoft.com/support/kb/articles/q231/4/52.asp Obtaining Support on this Issue =============================== If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft acknowledges Flavio Veloso (flaviovs@centroin.com.br) for discovering the "Malformed Favorites Icon" vulnerability and reporting it to us, and Steve Loughran for discovering the "Legacy ActiveX Control" vulnerability and reporting it to us. Revisions ========= - May 27, 1999: Bulletin Created. For additional security-related information about Microsoft products, please visit http://www.microsoft.com/security ---------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 1999 Microsoft Corporation. All rights reserved. Terms of Use. ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM The subject line and message body are not used in processing the request, and can be anything you like. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/security/bulletin.htm. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.