[NT] Unchecked Buffer in Windows Shell Could Enable System Compromise

From: support@securiteam.com
Date: 12/19/02

  • Next message: support@securiteam.com: "[NEWS] Arbitrary Price Manipulation in CartMan Shopping Software" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 19 Dec 2002 18:03:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Unchecked Buffer in Windows Shell Could Enable System Compromise
    ------------------------------------------------------------------------

    SUMMARY

    The Windows Shell is responsible for providing the basic framework of the
    Windows user interface experience. It is most familiar to users as the
    Windows Desktop, but also provides a variety of other functions to help
    define the user's computing session, including organizing files and
    folders, and providing the means to start applications.

    An unchecked buffer exists in one of the functions used by the Windows
    Shell to extract custom attribute information from audio files. A security
    vulnerability results because it is possible for a malicious user to mount
    a buffer overrun attack and attempt to exploit this flaw.

    An attacker could seek to exploit this vulnerability by creating an .MP3
    or .WMA file that contained a corrupt custom attribute and then host it on
    a website, on a network share, or send it via an HTML email. If a user
    were to hover his or her mouse pointer over the icon for the file (either
    on a web page or on the local disk), or open the shared folder where the
    file was stored, the vulnerable code would be invoked. An HTML email could
    cause the vulnerable code to be invoked when a user opened or previewed
    the email. A successful attack could have the effect of either causing the
    Windows Shell to fail, or causing an attacker's code to run on the user's
    computer in the security context of the user.

    DETAILS

    Affected Software:
     * Windows XP Home Edition
     * Windows XP Professional
     * Windows XP Tablet PC Edition
     * Windows XP Media Center Edition

    Mitigating factors:
     * The vulnerability lies in the Windows Shell, rather than Windows Media
    Player. As a result, playing an audio file with Windows Media Player would
    not pose any additional risk.

     * Outlook 98 and 2000 (after installing the Outlook Email Security
    Update), Outlook 2002, and Outlook Express 6 all open HTML mail in the
    Restricted Sites Zone. Customers who are using these products and who have
    also installed Windows XP Service Pack 1 or any recent security patch for
    Internet Explorer that disables frames in the Restricted Sites zone would
    not be at risk from automated email-borne attacks. However, these
    customers could still be attacked if they choose to click on a hyperlink
    in a malicious HTML email.

     * In the case where an attacker's code was executed, the code would run
    in the security context of the user. As a result, any limitations on the
    user's ability would also restrict the actions that an attacker's code
    could take.

    Patch availability:
    Download locations for this patch
     * Microsoft Windows XP:
        
    <http://microsoft.com/downloads/details.aspx?FamilyId=A0BE7AF2-2653-4767-A85D-24BF68D28D20&displaylang=en bit edition
        
    <http://microsoft.com/downloads/details.aspx?FamilyId=FBA972FB-FF2A-41D0-8745-D31EEFB90437&displaylang=en bit edition

    What's the scope of the vulnerability?
    This is a buffer overrun vulnerability. An attacker who successfully
    exploited the vulnerability could, in the worst case, run code of their
    choice on a user's system. This would enable an attacker to take any
    action the legitimate user could take. This could include creating,
    modifying or deleting data, reconfiguring the system, or reformatting the
    hard drive.

    What causes the vulnerability?
    The vulnerability results because of an unchecked buffer in the part of
    the Windows Shell that automatically extracts custom attributes associated
    with .MP3 and .WMA audio files.

    What could this vulnerability enable an attacker to do?
    Successfully exploiting this vulnerability could, in the worst case,
    enable an attacker to run code of his or her choice on the user's system.
    Since the Windows Shell runs in the context of the user, the attacker's
    code would also run as the user. Any limitations on the user's ability to
    delete, add, or modify data or configuration information would also limit
    the attacker as well.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability by creating an .MP3
    or .WMA file that contained a corrupt custom attribute. An attacker might
    attempt to exploit this in one of three ways:

     * Host the file on a website. In this case, if a user were browsing the
    page containing the file and hovered over it with his or her mouse, the
    vulnerability could be exploited.

     * Host the file on a network share. In this case, if a user browsed to
    the network share and simply opened the folder which contained the file,
    it could cause the vulnerability to be exploited.

     * Send the file via email. An attacker might embed a link to a share that
    contained the file in a frame that would display when the user opened the
    email. An attacker could also attach the file to an email message and send
    it to a user with a suggestion that the user save the file to their
    desktop. Once the file was present on the desktop, if the user hovered
    over the file with their mouse the vulnerability could be exploited.
    Finally, an attacker could include in an email message a link to a share
    that contained the file, along with a suggestion that the user click on
    the link. If the user clicked the link, the share would be displayed and
    the vulnerability could be exploited.
    It is important to note that in the last example, the attacker could not
    automatically cause the file to be saved onto a user's computer. Only the
    user could take the action of saving the file onto the local computer.

    What is the Windows Shell?
    The Windows Shell provides the basic framework for the Windows user
    interface and is most commonly experienced as the Windows Desktop. The
    shell provides many functions beyond just the desktop and works to present
    a consistent look and feel throughout the computing experience. The shell
    can be used to locate files and folders through the Windows Explorer, to
    provide a consistent way to start applications through shortcuts on the
    "Start" menu, and to provide a consistent interface through desktop themes
    and colors.

    What are MP3 and WMA files?
    MP3 and WMA files are compressed digital music and sound files. Both types
    of file can be identified by their .MP3 or .WMA file extensions.

    Are any additional types of audio files affected?
    Only files with an extension of .MP3 and .WMA are affected by this
    vulnerability. Other types of files that may contain audio such as .WAV,
    MPEG, and .AVI are not affected.

    How does the Windows Shell process these file attributes?
    The Windows Shell is responsible for various actions associated with
    displaying information about files and icons on a machine. For example,
    when the mouse pointer is held over an icon, summary information is
    displayed about that icon. In order to seamlessly display this
    information, the Windows Shell is invoked to read the file attributes and
    provide them automatically. Another example is the ability to change the
    folder view to show "thumbnail" pictures of files on a machine. This
    capability is provided by the Windows Shell and derived by its mechanisms
    for processing files. When a folder is opened on a machine which is set to
    display "thumbnails" the Windows Shell is automatically invoked to make
    this display possible.

    What's wrong with the Windows Shell?
    The function that causes the Windows Shell to automatically extract custom
    attributes of certain audio files contains an unchecked buffer. If
    specific data was entered into an audio file, the buffer could be caused
    to overrun when the Windows Shell attempted to read the file. A buffer
    overrun can in general either cause the application to fail, or code to
    run on the machine.

    How does the Windows Shell get invoked to read these attributes?
    The specific function that contains the unchecked buffer is invoked only
    when the Windows Shell attempts to parse these custom attributes. This can
    occur in a variety of ways:

     * One instance would be where the file existed inside a folder on a
    computer. If a user opened the folder, the Windows Shell would
    automatically read these custom attributes.

     * Another example would be if a malformed file were to be hosted on a web
    site. If a user were to visit this website and hover over the file with
    their mouse, the shell would also be invoked to parse the custom
    attributes.

    Is it possible for an attacker to exploit this vulnerability directly via
    email?
    If the user is running an e-mail client that displays HTML e-mail in the
    Restricted Sites Security Zone, and has installed Windows XP Service Pack
    1 or any recent cummulative patch for Internet Explorer then it would not
    be possible for an attacker to exploit this vulnerability directly through
    HTML mail. The user would need to click on a link in the e-mail.

    What e-mail clients display HTML e-mail in the Restricted Sites Security
    Zone?
    The following e-mail clients display HTML e-mail in the Restricted Sites
    Security Zone:
     * Outlook 2002
     * Outlook 2000 with Office 2000 Service Release 2 or later
     * Outlook 98 or 2000 when used in conjunction with the Outlook Email
    Security Update
     * Outlook Express 6.0

    How does Windows XP Service Pack 1 limit the exploitation of this
    vulnerability?
    Windows XP Service Pack 1 and recent cumulative security patches for
    Internet Explorer disable frames in the Restricted Sites Security Zone.
    Without the ability to automatically display from an email message a frame
    containing a link to a share that in turn contained a malformed file, the
    sender of a malicious email would have to hope that the user would click
    on a link to the share that he or she embedded in a message.

    I'm not using Windows XP. Could I be affected by the vulnerability?
    No. The flaw is only present in Windows XP. It does not affect any other
    version of Windows.

    If WMA files are used by Windows Media technologies, does that mean there
    is a problem with Windows Media Player?
    No. Windows Media Player does not contain the flaw. The flaw exists in the
    Windows Shell, and the way it attempts to automatically read the
    attributes of these audio files.

    Is there a safe way to delete a file that I suspect might have been
    created to exploit the vulnerability?
    If you suspect that you may have downloaded an audio file with corrupted
    custom attributes onto your machine, you should not attempt to delete the
    file through Windows Explorer. Hovering the mouse pointer over the
    malicious audio file or opening a folder that contains the file will cause
    the Windows Shell to process it and the vulnerable code to be executed.
    The safest course of action is to use the Command Prompt to remove the
    corrupt file.

    You can access the Command Prompt by the following steps:
    1) Go to the Start button and select "Run".
    2) In the open box type cmd.exe
    3) Click OK. This will launch the Command Prompt.
    4) Once in the Command Prompt, use the DEL command to specify the path to
    the file and delete it. For specific information on which switches to use,
    type DEL /? for help.

    What does the patch do?
    The patch addresses the vulnerability by imposing proper input validation
    on the affected Windows Shell function.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:0_42311_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.