|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#591890
Buffer overflow in Microsoft Windows Shell
OverviewA remotely exploitable buffer overflow exists in the Microsoft Windows Shell. This buffer overflow is present in all versions of Windows XP, but it is not present in other versions of Windows.
I. DescriptionThere is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Microsoft describes the Shell as follows:
The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.
The buffer overflow exists in one of the Shell functions used to extract attribute information from audio files. This function is invoked automatically when the user interacts with objects on the desktop. Quoting from MS02--072:
...when the mouse pointer is held over an icon, summary information is displayed about that icon. In order to seamlessly display this information, the Windows Shell is invoked to read the file attributes and provide them automatically. Another example is the ability to change the folder view to show thumbnail pictures of files on a machine. This capability is provided by the Windows Shell and derived by its mechanisms for processing files. When a folder is opened on a machine which is set to display thumbnails the Windows Shell is automatically invoked to make this display possible.
Several different attack vectors can be used to exploit this vulnerability.
- If a user opens a folder containing a file with malformed attributes, the Windows Shell will read the attributes automatically.
- If a user visits a web site hosting an audio file with malformed attributes and hovers their mouse over the malicious file, the Windows Shell will read the attributes automatically.
- Via email. Again, quoting from MS02-072:
An attacker might embed a link to a share that contained the file in a frame that would display when the user opened the email. An attacker could also attach the file to an email message and send it to a user with a suggestion that the user save the file to their desktop. Once the file was present on the desktop, if the user hovered over the file with their mouse the vulnerability could be exploited. Finally, an attacker could include in an email message a link to a share that contained the file, along with a suggestion that the user click on the link. If the user clicked the link, the share would be displayed and the vulnerability could be exploited.
II. ImpactAn attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.
III. SolutionApply a patch.
Systems Affected
References
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS02-072.asp
http://www.foundstone.com/knowledge/randd-advisories-display.html?id=339
Credit
This vulnerability was discovered by Foundstone Research Labs.
This document was written by Ian A Finlay.
Other Information
| Date Public | 12/18/2002 |
| Date First Published | 12/19/2002 08:20:11 AM |
| Date Last Updated | 12/19/2002 |
| CERT Advisory | CA-2002-37 |
| CVE-ID(s) | CAN-2002-1327 |
| NVD-ID(s) | CAN-2002-1327 |
| US-CERT Technical Alerts | |
| Metric | 67.50 |
| Document Revision | 22 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader