[NT] Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without Warning
From: support@securiteam.comDate: 09/06/02
- Previous message: support@securiteam.com: "[UNIX] ADP Forum Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 6 Sep 2002 19:18:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Flaw Could Enable Web Page to Launch Visual FoxPro 6.0 Application Without
Warning
------------------------------------------------------------------------
SUMMARY
In general, when a product installs, it should register itself with
Internet Explorer. This allows the product to specify how Internet
Explorer should handle files associated with it when referenced from a web
page - for instance, it allows the product to specify whether the user
should be presented with a warning dialogue before such a file is opened.
Visual FoxPro 6.0 does not perform this registration, and this gives rise
to a situation in which a web page could automatically launch a Visual
FoxPro application (i.e., an .app file). In most cases, this would not
result in a security vulnerability - because of the way Visual FoxPro 6.0
evaluates file names, FoxPro itself could be started, but the .app file
would typically not run. However, if the filename of the application were
constructed in a particular way, a second error (associated with how
Visual FoxPro 6.0 evaluates application filenames) could not only start
FoxPro but allow the application to execute.
The vulnerability could be exploited by creating a web page that
references a Visual FoxPro application, and either hosting it on a web
site or sending it to a user as an HTML mail. If the user had installed
Visual FoxPro 6.0 - or had installed a product that includes the Visual
FoxPro 6.0 runtime - and the filename of the application was constructed
in a particular way, the application would execute. This would enable the
application to not only interrogate databases, but also issue system
commands in the user's security context.
DETAILS
Affected Software:
* Microsoft Visual FoxPro 6.0
Mitigating factors:
* The vulnerability could only be exploited if Visual FoxPro 6.0 (or the
Visual FoxPro 6.0 runtime) is installed on the system. Other products, and
other versions of Visual FoxPro, are not affected by the vulnerability.
* The most privileges the application could gain would be those of the
user. If the user were operating in a less-privileged context, it would
limit the damage that the application could cause.
Patch availability:
Download locations for this patch
* Microsoft Visual FoxPro 6.0:
<http://www.microsoft.com/downloads/Release.asp?ReleaseID=42297>
http://www.microsoft.com/downloads/Release.asp?ReleaseID=42297
What is the scope of the vulnerability?
This vulnerability could enable an attacker to run a Visual FoxPro
application on another user's system. By doing so, the attacker would be
able to take any action that user could take, including loading and
running programs, altering data on the system, reformatting the hard
drive, and so forth.
The vulnerability could only be exploited if two conditions were present:
* Visual FoxPro Version 6.0 (or another product that installs certain
parts of Visual FoxPro 6.0, as discussed below) was installed on the
system. No other products - and no other versions of FoxPro - are affected
by the vulnerability.
* The application's file name had a specific, peculiar construction.
What causes the vulnerability?
The vulnerability results because Visual FoxPro application can be
launched from a web page without generating a warning to the user.
What is Visual FoxPro?
Visual FoxPro is an object-oriented database management system that
enables the development of database solutions for desktops or the web. The
version of Visual FoxPro at issue here, Version 6.0, shipped as both a
stand-alone product and as part of Visual Studio 6.0.
What is a Visual FoxPro application?
In Visual FoxPro, as in most database systems, it is possible to write an
application that automates access to the database. Such an application can
not only interrogate the database, but also can, by design, take actions
on the user's system.
What is wrong with the way Visual FoxPro applications are handled?
There are two problems that combine to create a vulnerability. The first
is that Visual FoxPro 6.0 does not register itself with Internet Explorer.
Whenever a product installs, it should register with Internet Explorer and
indicate whether files associated with the application can open
automatically, or require user approval before opening. However, Visual
FoxPro 6.0 does not do this.
Under most conditions, this would not pose a security vulnerability. For
the vast majority of cases, the sole effect of opening a Visual FoxPro
application would be to start Visual FoxPro but not actually run the
application. However, if the application's filename is constructed in a
particular way, it will cause Visual FoxPro to interpret and execute the
application.
What could this vulnerability enable an attacker to do?
The vulnerability would enable an attacker to launch a Visual FoxPro
application on another user's system, after which point the application
could take any action that the user was authorized to take on the system.
How might an attacker exploit the vulnerability?
The attacker would need to create a web page that invokes a Visual FoxPro
application, and either host the page on a web site or send it to another
user as an HTML mail. In either case, if a user opened that page, and had
Visual FoxPro 6.0 installed on the system, the application would launch
without warning
I do not have Visual FoxPro installed on my system. Am I at any risk?
The vulnerability could only be exploited if Visual FoxPro - and
specifically Version 6.0 of Visual FoxPro - was installed on your system.
However, it is important to note that there are two ways it could be
installed. The most common way would be for you to have installed the
Visual FoxPro 6.0 product on your system.
However, it is also possible for third-party products to embed the Visual
FoxPro 6.0 runtime - essentially, the core database engine, without any of
the supporting feature set. If you had installed such a product, you could
also be vulnerable.
What third party products install the Visual FoxPro 6.0 runtime?
It is impossible to say. The runtime is embedded in a number of
applications that have been written by companies for their internal use,
as well as by commercial products. If you think you might be using such a
product, you can determine whether the Visual FoxPro 6.0 runtime is
present on your system by searching for any of the following files on your
system: vfp6r.dll, vfp6t.dll, or vfp6run.exe. If any of them are present,
Visual FoxPro 6.0 is installed on your system and you need the patch.
I have Visual FoxPro 7.0 installed on my system. Am I at any risk?
No. The vulnerability only affects Visual FoxPro 6.0.
I used to have Visual FoxPro 6.0 on my system, but I upgraded to Version
7.0. Am I at any risk?
No. Upgrading to Version 7.0 eliminates the vulnerability. This is true
even if you did a side-by-side installation - that is, if you installed
Version 7.0 on a system that already had Version 6.0 on it, but elected to
keep both versions present on the system.
Is there any way to eliminate the vulnerability other than installing the
patch?
Yes. Recall that the vulnerability results in part because Visual FoxPro
6.0 does not tell Internet Explorer how to handle Visual FoxPro
applications. It is possible to do this manually via the following
procedure:
1) Open Control Panel
2) Select "Tools", then "Folder Options"
3) Click the "File Types" tab
4) In the scroll box titled "Registered File Types", select the "APP"
extension. (If this extension is not present in the list, it means you do
not have Visual FoxPro installed).
5) Click on "Advanced"
6) Select "Confirm open after downloading".
7) Hit OK to close the Edit File Type dialogue
8) Hit OK to close the File Options dialogue
9) Close Control Panel
What does the patch do?
The patch registers Visual FoxPro application (.app) files with Internet
Explorer and also removes the code flaw that allows certain filenames to
be evaluated and launched.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:0_35932_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] ADP Forum Security Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
