[NT] mIRC DDE Permissions Security Bug
From: support@securiteam.comDate: 12/09/01
- Previous message: support@securiteam.com: "[NEWS] Duplicate Session IDs Cause JRun Security Vulnerability (Hotfix)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 9 Dec 2001 15:31:30 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
mIRC DDE Permissions Security Bug
------------------------------------------------------------------------
SUMMARY
mIRC's DDE (Dynamic Data Exchange) support contains a vulnerability that
allows lower-privileged programs to execute commands at higher-privileges
whenever the mIRC has been enabled to support DDE and whenever it is
executed at higher-privileges (Example, an administrator running an mIRC
DDE server, and a guest user accessing it).
DETAILS
A security vulnerability has been found in mIRC's DDE feature, which
allows DDE messaging between its instances and other software. Under a
multi-user system (such as Windows 2000 Professional), the feature causes
a security vulnerability.
To recreate the problem do the following:
1) Launch one copy of mIRC with an enabled DDE Server under an
Administrative account.
2) Launch another one under a Guest account using the RunAs service.
3) Write /DDE mIRC command "" /run c:\program files\internet
explorer\iexplore.exe in the second (Guest) client.
4) Internet Explorer will be launched under the administrative account.
This enables different users sharing one machine to overtake each other's
accounts if mIRC is running with a DDE Server (this option is enabled by
default).
ADDITIONAL INFORMATION
The information has been provided by <mailto:root@shustrik.com> Shustrik
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Duplicate Session IDs Cause JRun Security Vulnerability (Hotfix)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
