[NT] Unchecked Buffer in mstask.dll

From: SecuriTeam (support_at_securiteam.com)
Date: 07/18/04

  • Next message: SecuriTeam: "[NT] Buffer Overflow in Whisper FTP Surfer"
    To: list@securiteam.com
    Date: 18 Jul 2004 16:20:13 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Unchecked Buffer in mstask.dll
    ------------------------------------------------------------------------

    SUMMARY

    When thinking about buffer overflow vulnerabilities, a file can sometimes
    be as harmful as a packet. Even though past security issues have taught us
    that it is unwise to use an unvalidated text string containing a file name
    or directory, that is what happened here.

    By creating a .job file with a large "to be executed" field the stack can
    be overwritten allowing for remote command execution, when the file is
    parsed by mstask.dll.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 4
     * Microsoft Windows XP, Microsoft Windows XP Service Pack 1

    It appears that both explorer.exe and iexplore.exe will parse a .job file
    when showing folder listings. Upon the parsing of the .job file, the large
    "to be executed" field is passed to wcscpy without doing any bounds
    checking.

    Using explorer the viewing of a folder containing the .job is enough to
    cause the buffer overflow to occur. The file can be hosted locally or on a
    remote network share. A remote attack would require the end user to visit
    the folder/share containing the exploit file.

    Using Internet Explorer the viewing of a folder containing the .job file
    through the use of an [iframe] object will cause the buffer overflow to
    occur.

    Viewing an HTML email that is based around the [iframe] attack avenue,
    will also cause the buffer overflow. This will occur without any user
    intervention if the preview pane is enabled, or with user intervention by
    viewing the email.

    It is possible that there are other avenues of attack to exploit this
    vulnerability.

    Exploitation:
    Remote exploitation through Internet Explorer can be obtained through the
    use of an iframe object pointing at an anonymous share.

    Automatic exploitation of browser based bugs, does not rely on an attacker
    sending a link, requiring the target user to click on it. Links,
    references and other objects can easily be opened through script code. And
    Brett was told that this can also be achieved without script code.

    Solutions:
    - Install the vendor supplied patch:
    <http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx>
    http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:brett.moore@security-assessment.com> Brett Moore.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Buffer Overflow in Whisper FTP Surfer"

    Relevant Pages

    • [REVS] Understanding and Preventing DNS-related Attacks by Phishers
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This paper, extending the original material of "The Phishing Guide", ... Internet-based customers are dependent upon, and how they can be exploited ... This paper focuses upon a recent group of attack vectors used by criminals ...
      (Securiteam)
    • [NT] Microsoft Outlook Web Access XSS (MS08-039)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Web Access (OWA) 2003/2007. ... Exchange Server 2007, Exchange Server 2007 SP1) ... An attacker can craft a malicious email which contains the attack strings ...
      (Securiteam)
    • [REVS] Multiple Collisions attack on MD5 and other Hashing Algorithms
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This collision attack might someday introduce a weakness in MD5 ... The presented attack can find many real collisions which are ...
      (Securiteam)
    • [NEWS] Common DNS Misconfiguration can Lead to "same Site" Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attack is trivial, for example, from a shared UNIX system, an attacker ... via) a machine that hosts another website, ... configurations for domains that host websites that rely on HTTP state ...
      (Securiteam)
    • [NEWS] Cisco Unified Communications Manager SQL Injection
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cisco Unified Communications Manager is vulnerable to a SQL Injection ... attack in the parameter key of the admin and user interface pages. ... Cisco has released free software updates that address this vulnerability. ...
      (Securiteam)