Vulnerability Note VU#591890

Buffer overflow in Microsoft Windows Shell

Original Release date: 19 Dec 2002 | Last revised: 19 Dec 2002

Overview

A remotely exploitable buffer overflow exists in the Microsoft Windows Shell. This buffer overflow is present in all versions of Windows XP, but it is not present in other versions of Windows.

Description

There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Microsoft describes the Shell as follows:

    The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.

The buffer overflow exists in one of the Shell functions used to extract attribute information from audio files. This function is invoked automatically when the user interacts with objects on the desktop. Quoting from MS02--072:
    ...when the mouse pointer is held over an icon, summary information is displayed about that icon. In order to seamlessly display this information, the Windows Shell is invoked to read the file attributes and provide them automatically. Another example is the ability to change the folder view to show thumbnail pictures of files on a machine. This capability is provided by the Windows Shell and derived by its mechanisms for processing files. When a folder is opened on a machine which is set to display thumbnails the Windows Shell is automatically invoked to make this display possible.
Several different attack vectors can be used to exploit this vulnerability.
  • If a user opens a folder containing a file with malformed attributes, the Windows Shell will read the attributes automatically.
  • If a user visits a web site hosting an audio file with malformed attributes and hovers their mouse over the malicious file, the Windows Shell will read the attributes automatically.
  • Via email. Again, quoting from MS02-072:
    An attacker might embed a link to a share that contained the file in a frame that would display when the user opened the email. An attacker could also attach the file to an email message and send it to a user with a suggestion that the user save the file to their desktop. Once the file was present on the desktop, if the user hovered over the file with their mouse the vulnerability could be exploited. Finally, an attacker could include in an email message a link to a share that contained the file, along with a suggestion that the user click on the link. If the user clicked the link, the share would be displayed and the vulnerability could be exploited.

Impact

An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.

Solution

Apply a patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-19 Dec 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Foundstone Research Labs.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CAN-2002-1327
  • CERT Advisory: CA-2002-37
  • Date Public: 18 Dec 2002
  • Date First Published: 19 Dec 2002
  • Date Last Updated: 19 Dec 2002
  • Severity Metric: 67.50
  • Document Revision: 22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.