[NT] Windows Shell Overflow (Additional Information)
From: support@securiteam.comDate: 03/12/02
- Previous message: support@securiteam.com: "[NT] The Feasibility of Attacking Windows 2000 Kerberos Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 12 Mar 2002 16:40:03 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Windows Shell Overflow (Additional Information)
------------------------------------------------------------------------
SUMMARY
eEye Digital Security has discovered a buffer overflow vulnerability
within the Windows Shell that can lead to execution of malicious code.
The vulnerability exists in how the Windows Shell manipulates URL handlers
that point to programs that do not exist.
A patch is available for this vulnerability. See:
<http://www.securiteam.com/windowsntfocus/5WP0B0A6LU.html> Unchecked
Buffer in Windows Shell Could Lead to Code Execution.
DETAILS
Vulnerable systems:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000
The Windows Shell exposes functionality to allow developers to write their
own custom URL handlers. For example programs such as, ICQ, AIM, MS
Conference, mIRC, Windows Media Player, Outlook/Express, etc... install
their own custom URL handlers so that functionality can be passed from a
URL to a program.
So for example we could write a custom URL handler called "eeye" and then
anytime someone performed a request for eeye://data the data would be
passed to whatever program was written to handle the eeye URL.
The problem arises when a URL handler has been mapped, in the system
registry, to a program that does not exist.
For example AOL Instant Messenger installs a URL handler to
HKEY_CLASSES_ROOT\aim. The reason we know AIM is a URL handler is because
of the existence of the key "URL Protocol" tells the windows shell that
Aim is a URL handler.
By enumerating the registry for "URL Protocol" keys we can determine all
of the installed URL handlers.
Next we identify a URL handler that is installed yet mapped to a
non-existent program.
The mapping to the URL handler is in the form of:
HKEY_CLASSES_ROOT\urlhandler\shell\open\command
and whatever executable is pointed to by (Default) is the executable to
handle that specific URL.
As stated the vulnerability is within the Windows Shell code that handles
URL's that point to a non-existent URL handler.
So if the AIM handler (HKEY_CLASSES_ROOT\aim\shell\open\command) was
pointing to a file that did not exist then that URL handler could be
exploited via a buffer overflow in the data passed to the URL handler.
For example: aim://[buffer]
Where [buffer] is 324 or so bytes. At this point we take control of EIP
and can control the flow of execution within the program, which means we
can make our victim execute any code we wish.
It is very important to clarify there is no problem within AIM or the URL
handler program itself. The problem lies within vulnerable code within the
Microsoft Windows Shell.
Reasons for certain URL handlers becoming exploitable could be, if a
program is uninstalled and the uninstaller does not cleanly remove the
mapping in the registry, or if a user deletes the program folder which
leaves the URL mapping to a invalid file.
On a default installation of Windows the buffer overflow does exist,
although exploiting it is impossible because there are no default URL
handlers pointing to a file that doesn't exist. However over time after
programs are installed and removed a system will become vulnerable.
This vulnerability is a local vulnerability although due to the integrated
nature of windows it is possible to exploit this vulnerability remotely
using any program that supports URL. For example we could email
this attack URL within an Outlook email or we could put this attack URL
within an "evil web page" and then get users to visit the web page. There
are many different ways to remotely make a system process these "evil
URL's" in order to gain control.
When you exploit this vulnerability, locally or remotely, your code will
execute with the permissions of that of the user being attacked. So if the
user executing this evil URL is Administrator then your attack code will
execute as Administrator.
There are a few variables to a system being vulnerable to this buffer
overflow however we still encourage users to install the Microsoft patch
as soon as possible.
Solution:
Microsoft has released a patch and security bulletin.
See: <http://www.securiteam.com/windowsntfocus/5WP0B0A6LU.html>
http://www.securiteam.com/windowsntfocus/5WP0B0A6LU.html.
ADDITIONAL INFORMATION
The information has been provided by <mailto:info@eEye.com> eEye Digital
Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] The Feasibility of Attacking Windows 2000 Kerberos Passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
