17th Apr 2002 [SBWID-5276]
COMMAND
	Internet Explorer and Office suite remote buffer overflow
SYSTEMS AFFECTED
	 Microsft Internet Explorer 5.1 on Mac OS 8, 9, and X
	 Microsft Outlook Express 5.0.2 on all Mac OS
	 Microsft Entourage 2001 and X on all Mac OS
	 Microsft PowerPoint 98, 2001, and X on all Mac OS
	 Microsft Excel 2001 and X on all Mac OS
	 Microsft Word 2001 on all Mac OS
PROBLEM
	In     w00w00     [http://www.w00w00.org]     and      Angry      Packet
	Security[http://sec.angrypacket.com] advisory :
	 
	http://www.w00w00.org/advisories/ms_macos.html
	
	There is a vulnerability in multiple Microsoft products on Mac  OS.  The
	problem lies in the handling of a lengthy subdirectory  in  the  file://
	directive, such  as  file:///AAAAAA[...]  or  file://A/A/A/A/[...].  The
	number of subdirectories is trivial as long as there is at least one.
	 Implications
	 ============
	This  is   another   vulnerability   with   potentially   far   reaching
	consequences. In the case of Entourage,  it  has  the  potential  for  a
	worm, with the magnitude depending  on  how  many  people  actually  use
	Entourage (Microsoft's Outlook equivalent for Mac  OS).  In  all  cases,
	writing shellcode to exploit this problem is  simply--much  more  simple
	than shellcode for the AOL Instant  Messenger  problem  we  reported  in
	January. Given that Mac OS X has  a  Unix  interface,  existing  PowerPC
	shellcode that runs /bin/sh will work. No complex  shellcode  is  needed
	to bind to a port or download an application off the  web.  The  /bin/sh
	shellcode would need to be changed from  an  interactive  shell  to  one
	that will execute a chain of commands. There are enough commands on  Mac
	OS  by  default  to  allow  an  attacker  to  download  and  execute  an
	application off of a web page. The downloaded application could  do  any
	number of things, such as read off the user's contact list and send  the
	same email to exploit to all of the user's contacts.
	 Exploit
	 =======
	The following HTML file will demonstrate the problem. We  chose  to  use
	IMG simply because that is instantly  loaded,  but  an  <A  HREF=...>
	could have been used also. It can also  be  viewed  (in  live  form)  at
	http://www.w00w00.org/files/advisories/ie_sample.html.   It   overwrites
	the saved link register which is used for a subroutine's return  address
	on PowerPC. This will allow remote  execution  of  arbitrary  code.  The
	saved  link  register   is   overwritten   by   the   0x41424344.   This
	vulnerability will allow up to 1313 characters  before  the  saved  link
	register. Pure  binary  data  (including  NUL  bytes)  can  be  used  by
	escaping it (i.e., A as %41). However, using "%41" will count  as  three
	characters, rather than just one. Note:  by  character  I  mean  unibyte
	characters.
	
	<html>
	<body>
	<img src=file:///[1313 characters]%41%42%43%44>
	</body>
	</html>
	
SOLUTION
	For Internet Explorer, a patch is available from
	 
	http://www.apple.com/macosx/upgrade/softwareupdates.html. 
	
	For the other products, the patches can be downloaded from
	 
	http://www.microsoft.com/mac/download.