[NT] Vulnerability in Task Scheduler Could Allow Code Execution (MS04-022)

From: SecuriTeam (support_at_securiteam.com)
Date: 07/14/04

  • Next message: SecuriTeam: "[NT] Microsoft Windows POSIX Component Privilege Elevation Vulnerability (MS04-20)" 
    To: list@securiteam.com
Date: 14 Jul 2004 11:20:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Vulnerability in Task Scheduler Could Allow Code Execution (MS04-022)
    ------------------------------------------------------------------------

    SUMMARY

    A remote code execution vulnerability exists in the Microsoft Windows Task
    Scheduler because of the way that it handles application name validation.
    There are many ways that a system could be vulnerable to this attack. An
    attacker who successfully exploited this vulnerability could take complete
    control of an affected system. However, user interaction is required to
    exploit this vulnerability.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service
    Pack 3, Microsoft Windows 2000 Service Pack 4 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=BBF3C8A1-7D72-4CE9-A586-7C837B499C08&displaylang=en> Download the update

     * Microsoft Windows XP and Microsoft Windows XP Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=8E8D0A2D-D3B9-4DE8-8B6F-FC27715BC0CF&displaylang=en> Download the update

     * Microsoft Windows XP 64-Bit Edition Service Pack 1 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=7B4AC0FA-7954-4993-85A1-85298F122CE0&displaylang=en> Download the update

    Affected Components:
     * Internet Explorer 6 Service Pack 1 when installed on Windows NT 4.0
    SP6a (Workstation, Server, or Terminal Server Edition) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=D4F57F82-D2BA-411A-8B40-77A3D80E58AC&displaylang=en> Download the update

    Non-Affected Software:
     * Microsoft Windows Server 2003
     * Microsoft Windows Server 2003 64-Bit Edition
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows NT Workstation 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Service Pack 6a
     * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
     * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
    Microsoft Windows Millennium Edition (Me)

    CVE Information:
    Task Scheduler Vulnerability -
    <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0212>
    CAN-2004-0212

    FAQ:

    What is the scope of the vulnerability?
    This is a remote code execution vulnerability. If a user is logged on with
    administrative privileges, an attacker who successfully exploited this
    vulnerability could take complete control of an affected system, including
    installing programs; viewing, changing, or deleting data; or creating new
    accounts with full privileges. Users whose accounts are configured to have
    fewer privileges on the system would be at less risk than users who
    operate with administrative privileges. However, user interaction is
    required to exploit this vulnerability.

    What causes the vulnerability?
    An unchecked buffer in the Task Scheduler component.

    What is the Task Scheduler?
    You can use Task Scheduler to schedule commands, programs, or scripts to
    run at specific times. A task is saved as a file that has a .job file name
    extension. This behavior makes it easier to move the task information from
    system to system. Administrators can create scheduled maintenance task
    files and put them where needed. For more information, see the
    <http://www.microsoft.com/technet/prodtechnol/windows2000serv/evaluate/featfunc/taskschd.mspx> Task Scheduler Web site.

    What might an attacker use the vulnerability to do?
    An attacker who successfully exploited this vulnerability could take
    complete control of an affected system, including installing programs;
    viewing, changing, or deleting data; or creating new accounts that have
    full privileges.

    How could an attacker exploit this vulnerability?
    There are many ways that a system could be vulnerable to this attack. Here
    are some examples:
     * An attacker could host a malicious Web site that is designed to exploit
    this vulnerability through Internet Explorer and then persuade a user to
    view the Web site.

     * An attacker could add a specially crafted .job file to the local file
    system or to a network share and then persuade the user to view the folder
    by using Windows Explorer.

     * An attacker could also access the affected component through another
    vector. For example, an attacker could log on to the system interactively
    or by using another program that passes parameters to the vulnerable
    component (locally or remotely).

    What systems are primarily at risk from the vulnerability?
    Workstations and terminal servers are primarily at risk. Servers are only
    at risk if users who do not have sufficient administrative credentials are
    given the ability to log on to servers and to run programs. However, best
    practices strongly discourage allowing this.

    Could the vulnerability be exploited over the Internet?
    Yes. An attacker could attempt to exploit this vulnerability over the
    Internet. Microsoft has provided information about how you can help
    protect your PC. End users can visit the
    <http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
    IT Professionals can visit the
    <http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
    Web site.

    What does the update do?
    The update removes the vulnerability by modifying the way that Task
    Scheduler validates the length of a message before it passes the message
    to the allocated buffer.

    When this security bulletin was issued, had this vulnerability been
    publicly disclosed?
    No. Microsoft received information about this vulnerability through
    responsible disclosure. Microsoft had not received any information
    indicating that this vulnerability had been publicly disclosed when this
    security bulletin was originally issued.

    When this security bulletin was issued, had Microsoft received any reports
    that this vulnerability was being exploited?
    No. Microsoft had not received any information indicating that this
    vulnerability had been publicly used to attack customers and had not seen
    any examples of proof of concept code published when this security
    bulletin was originally issued.

    Mitigating Factors:
     * In a Web-based attack scenario, an attacker would have to host a Web
    site that contains a Web page that is used to exploit this vulnerability.
    An attacker would have no way to force users to visit a malicious Web
    site. Instead, an attacker would have to persuade them to visit the Web
    site, typically by getting them to click a link that takes them to the
    attacker's site. An attack could only occur after they performed these
    actions.

     * An attacker who successfully exploited this vulnerability could gain
    the same privileges as the user. Users whose accounts are configured to
    have fewer privileges on the system would be at less risk than users who
    operate with administrative privileges.

     * Windows Server 2003 is not affected by this vulnerability. Windows NT
    4.0 is not vulnerable unless Internet Explorer 6 is installed. Internet
    Explorer 6 is not affected when installed on other supported operating
    systems. Other versions Internet Explorer are not affected.

    Workarounds:
     * Do not open or save .job files that you receive from untrusted sources.
    This vulnerability could be exploited when a user views a .job file. Do
    not open files that use this file name extension.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx>
    http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Microsoft Windows POSIX Component Privilege Elevation Vulnerability (MS04-20)"

    Relevant Pages