[SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow
From: Secure Net Service(SNS) Security Advisory (snsadv_at_LAC.CO.JP)
Date: 07/03/03
- Previous message: Collins, Thomas L: "Re: 2000 SP4 Released - Officially"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 3 Jul 2003 10:46:10 +0900 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
----------------------------------------------------------------------
SNS Advisory No.65
Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow
Problem first discovered: Thu, 5 Dec 2002
Published: Thu, 03 Jul 2003
Reference: http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html
----------------------------------------------------------------------
Overview:
---------
A buffer overflow vulnerability exists in the Windows 2000 API
ShellExecute() function.
Problem Description:
-------------------
Windows API ShellExecute() is a function to run an application
associated with a specified file extension.
The problem is triggered when the pointer to an unusually long string
is set to the 3rd argument of the Windows 2000 API Shell Execute()
API function.
It has been confirmed that several applications containing web browser,
MUA and text editor are vulnerable to this problem.
Tested Version:
---------------
SHELL32.DLL (Version 5.0.3502.6144)
Solution:
---------
This problem can be rectified by installing Windows 2000 Service Pack 4.
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp
Microsoft is considering public presentation of the further information
about this problem.
Discovered by:
--------------
Yuu Arai y.arai@lac.co.jp
Hisayuki Shinmachi
Acknowledgements:
-----------------
Thanks to:
RimArts, Inc. Tomohiro Norimatsu
Security Response Team of Microsoft Asia Limited
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd. shall
take no responsibility for any problems, loss or damage caused by, or by
the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
- Previous message: Collins, Thomas L: "Re: 2000 SP4 Released - Officially"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
