Search This Blog

Monday, January 12, 2009

IE UserAgent 0-Days on some applications

Recently, I had found a rather interesting bugs. I was using my corporate time managerment software with my poorly patched (missing 100+ patches) company notebook. The IE6 apparently got blocked from the software saying "Please use IE6 or higher..." and redirect me to the IE7 download page. The joke is that the software does not work with IE7... But that aside... I am dead sure I was using IE6. I even checked my About box. So what the hell went wrong?

I was about to try injecting the UserAgent string in, because thats usually what is used to detect the browsert version. However, before I was to do that, I notice it was running ASPX (ASP.NET) and there is a page that checks the security (browser version). I went to take a look at my UserAgent with : javascript:alert(navigator.userAgent) and found that I had .Net 1 to 3.5 there. Now, you can imagine how long the UserAgent string is. 

That was what stucked me. I when ahead and "customized" my UserAgent. Guess what, I was in the time management software again. So what apparently happened was, they check the browser based on the UserAgent. But they had specified a much too small buffer to read it in. I guess we can assumed it caused a buffer overflow, however, ASP.NET will handle it nicely and the result being error in the string reading. That cause a mismatch of my IE6 version which ultimately booted me out of the software claiming I do not have IE6.

What worries me is that its common for people will additional software to have such a long UserAgent. And if applications are not designed to play nice with these, it can cause lots of problems such as a DoS from the application if I made everyone in the company have long UserAgent string. While checking for browser version is good, I believe its necessary to update the routines for newer browsers such as Chrome and other newer dot net frameworks. After this small experience, I tried with a long UserAgent on several other sites and application and found many not able to handle it. To the worse cause, I even managed to cause a few which is not using dot net framework. 

No comments:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.