(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)
Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation. Here are two HTTP replies that trigger the bug:
HTTP/.\nContent-Encoding:deflate\r\t\n\r\n\x20\x20
HTTP \nContent-Encoding:deflate\nContent-Range:\n\n”
The bug allows memory corruption, which can be exploited to execute arbitrary code. The big surprise (to me at least) is that nobody seems to have found this before even though it’s fairly easy to trigger.
2 Comments to “MSIE Content-Encoding: deflate memory corruption vulnerability”
2009/10/20
The issue with discovering it is that it is client side and is not properly parsed by the browsering, meaning that if you would brute-force fuzz it.
You will need to manual tell IE to try again as it would get stuck on something similar to the above request but missing critical parts of it (HTTP version value, HTTP method, etc..).
2009/10/20
I’m not sure what you mean. If you’re trying to say that it is impossible (or at least very hard) to find this kind of bug using fuzzing, then you may be surprised to hear that I found this using a fuzzer
. My fuzzer actually triggered this bug quite often: it wasn’t one lucky hit.
Note that the original HTTP replies that my fuzzer generated that triggered this issue where a lot larger and more complex. I reduced the size by removing most of the bytes that aren’t required to trigger the bug. That makes it easier to spot the cause of the issue, which is incorrect handling of (malformed) deflate data. The lack of a “proper” HTTP header in these repro examples has nothing to do with the actual bug.
Leave a Comment