Security issue with Micro$oft products

Security issue with Micro$oft products

Post by Mr. Underhil » Tue, 10 Sep 2002 13:44:43

Most of you have probably already seen this, but for those of you that have
not (

"w00w00 (
Angry Packet Security (

Vulnerability in Multiple Microsoft Products for Mac OS
HTML format:
Text format:


Microsft Internet Explorer
Versions affected: 5.1
Platforms affected: Mac OS 8, 9, and X

Microsft Outlook Express
Versions affected: 5.0.2
Platforms affected: all Mac OS

Microsft Entourage
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft PowerPoint
Versions affected: 98, 2001, and X
Platforms affected: all Mac OS

Microsft Excel
Versions affected: 2001 and X
Platforms affected: all Mac OS

Microsft Word
Versions affected: 2001
Platforms affected: all Mac OS


A bug in Internet Explorer for Mac OS X was originally reported to
Microsoft by Josha Bronson of Angry Packet Security on January 4,

Due to some internal mishandling at Microsoft, this was brushed off
until w00w00 informed Microsoft of its intention to release the
information on February 17. We originally gave them a deadline of
two weeks until we discovered that this affected Entourage (an
Outlook-like mail client for Mac OS). When Microsoft determined
this affected most of their Office suite on Mac OS, we felt it was
appropriate to give them time to fix it.


There is a vulnerability in multiple Microsoft products on Mac OS.
The problem lies in the handling of a lengthy subdirectory in the
file:// directive, such as file:///AAAAAA[...] or
file://A/A/A/A/[...]. The number of subdirectories is trivial as
long as there is at least one.


In most cases, the user would need to click on the link to be
attacked. In the case of Entourage or Outlook Express, however,
just opening the email will cause this. This leaves the
potential for a worm. The magnitude depends on how many people
actually use Entourage and Outlook Express for Mac OS. In all
cases, writing shellcode to exploit this problem is simple.
Given that Mac OS X has a Unix interface, existing PowerPC
shellcode that runs /bin/sh will work. No complex shellcode
is needed to bind to a port or download an application off the
web. The /bin/sh shellcode would need to be changed from an
interactive shell to one that will execute a chain of commands.
There are enough commands on Mac OS X by default to allow an
attacker to download and execute an application off of a web
page.  The downloaded application could do any number of
things, such as read off the user's contact list and send the
same email to exploit to all of the user's contacts.


The following HTML file will demonstrate the problem. We chose to
use IMG simply because that is instantly loaded, but an
<A HREF=...> could have been used also. It can also be viewed (in
live form) at
It overwrites the saved link register which is used for a
subroutine's return address on PowerPC. This will allow remote
execution of arbitrary code. The saved link register is overwritten
by the 0x41424344. This vulnerability will allow up to 1313
characters before the saved link register. Pure binary data
(including NUL bytes) can be used by escaping it (i.e., A as %41).
However, using "%41" will count as three characters, rather than
just one. Note: by character I mean unibyte characters.

<img src=file:///[1313 characters]%41%42%43%44>


For Internet Explorer, a patch is available from For
the other products, the patches can be downloaded from


w00w00 would like to thank Angry Packet for involving us in their
efforts to get Microsoft to resolve this problem after their
attempts failed.

Back to Advisories
Back to w00w00 webpage "


1. security for file sharing via TCP/IP and other Macintosh security issues

Hi all -

    I have a Mac in my office (running OS 9) to which I connect from home by
File Sharing via TCP/IP. Recently another computer in the building was
hacked remotely and a bunch of files were erased. I am now concerned about
mine; is there any sort of software package that can be applied over the
file sharing to give a higher degree of security? And, is there any known
way to access a Mac on the internet if the file sharing is turned off?
    On a related issue, to monitor access to the Mac "in person" (people
using the machine from the console, is there any good software which can act
like a password protected screen saver, except that it 1) has several
possible passwords (so I can assign individual passwords to valid users, and
2) records the password and the date/time it's entered (so I can tell who is
using it when)?

I would greatly appreciate any suggestions (please cc: to


2. PCMCIA Problem with CompuAdd 433TXC

3. Need help with Micro$oft Softcard

4. FS: Sun SPARCserver 1000E

5. Micro$oft bought Connectix?!?!?

6. ISOmetric draw

7. Microsoft Security Issue

8. FS: Adtran XRT

9. KFest: Syndicomm Obtains Exclusive License to Distribute Parkhurst Micro Products Line

10. Softdisk issues and uptime issues

11. An oft repeated point... (Was Re: Switch It)

12. FA: On ebay Hot Pink Apple Network Security Coffee Mug

13. New Security Site