Title: Netscape SmartDownload 1.3 Buffer Overflow Vulnerability
Severity: CRITICAL
Description:
Netscape SmartDownload adds pause, resume and auto-restart download capabilities to common web browsers such as Netscape Navigator, Microsoft Internet Explorer and NeoPlanet. It is installed by default with SmartDownload versions of Netscape Communicator, and marketed as an add-on "download manager" for other browsers. It is available for all Win32 platforms (Windows 95/98/Me, NT/2000).
All URLs visited by a user are analyzed and parsed by SmartDownload for MIME type and extension to determine if the SmartDownload dialog box should be presented, regardless of whether Smartdownload is enabled. URLs parsed include web pages viewed within the browser (including redirects), web pages within framesets and files spawned to external viewers. Images, embeds and targets of object tags are not parsed by SmartDownload.
A bug in the library 'sdph20.dll' used by SmartDownload prevents it from properly parsing URLs greater than 256 characters in length. The parsing code in sdph20.dll reserves 256 characters for an URL on the stack but an unchecked lstrcpy will copy URLs of arbitrary length into that buffer, overwriting several local variables, the return address and other parts of the stack.
Analysis of sdph20.dll reveals that the ESI register will always point to a location in memory with a predictable offset from the start of the URL buffer after the parser function returns. This means that shellcode [1] within the URL can be reached with a CALL ESI or JMP ESI instruction if a known location containing either of those instructions is inserted in the return address (byte 272).
If the overflow is successfully exploited, shellcode will be executed by the victim with the privileges of the currently logged in user. If the victim is using Windows 95, 98 or Me, the shellcode will be run with privileged access to all system resources (local Administrator access).
[1] SmartDownload places some restrictions on the characters permitted in an URL - namely, reserved URL characters such as # : ? and & are clipped or replaced. Additionally, the NULL character and some control characters (ASCII < 32) are rejected outright by some web browsers.
Affected Products:
- Netscape SmartDownload 1.3.0
References:
- @stake: Netscape SmartDownload Overflow
- Netscape: About SmartDownload
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
