[NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS04-037)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/13/04

Next message: SecuriTeam: "[UNIX] ocPortal File Inclusion Vulnerability"

Previous message: SecuriTeam: "[NT] Vulnerability in NetDDE Could Allow Remote Code Execution (MS04-031)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Oct 2004 16:37:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Vulnerability in Windows Shell Allows Remote Code Execution (MS04-037)
------------------------------------------------------------------------

SUMMARY

Two new Windows Shell related vulnerabilities have been discovered, Shell
Vulnerability and Program Group Converter Vulnerability.

Shell Vulnerability - A remote code execution vulnerability exists in the
way that the Windows Shell starts applications. An attacker could exploit
the vulnerability if a user visited a malicious Web site. If a user is
logged on with administrative privileges, an attacker who successfully
exploited this vulnerability could take complete control of an affected
system. However, user interaction is required to exploit this
vulnerability.

Program Group Converter Vulnerability - A remote code execution
vulnerability exists in Program Group Converter because of the way that it
handles specially crafted requests. An attacker could exploit the
vulnerability by constructing a malicious request that could potentially
allow remote code execution if a user performed an action such as opening
a file attachment or clicking a HTML link. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. However,
user interaction is required to exploit this vulnerability.

DETAILS

Vulnerable Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F8046E83-E151-4AAF-80CB-AD4F31C02EAC> Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
-
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2DCC6C99-509D-41A5-A3C7-CAC017D633E1> Download the update
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=846E7479-133B-45D7-AA69-D9257F1BE178> Download the update
* Microsoft Windows XP and Microsoft Windows XP Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FB93CB07-3A7E-444C-B083-324FC9049B94> Download the update
* Microsoft Windows XP 64-Bit Edition Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=FF84BCBE-D1E5-4402-8CE4-F8D9966C79D0> Download the update
* Microsoft Windows XP 64-Bit Edition Version 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AB91C7FF-2547-455E-9A6D-82B09373495F> Download the update
* Microsoft Windows Server 2003 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5C60CA12-0045-42B7-9F2A-6D433DEDC105&> Download the update
* Microsoft Windows Server 2003 64-Bit Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AB91C7FF-2547-455E-9A6D-82B09373495F> Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this
bulletin for details about these operating systems.

Immune Systems:
* Microsoft Windows XP Service Pack 2

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0214>
CAN-2004-0214
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0572>
CAN-2004-0572

Shell Vulnerability
A remote code execution vulnerability exists in the way that the Windows
Shell starts applications. An attacker could exploit the vulnerability if
a user visited a malicious Web site. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. However,
user interaction is required to exploit this vulnerability.

Mitigating Factors for Shell Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site. An attack could only occur after they performed this
action.
* An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system would be at less risk than users who
operate with administrative privileges.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
<http://go.microsoft.com/fwlink/?LinkId=33334> Outlook E-mail Security
Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML
e-mail messages in the Restricted sites zone if Microsoft Security
Bulletin <http://go.microsoft.com/fwlink/?LinkId=19527> MS04-018 has been
installed. The Restricted sites zone helps reduce attacks that could
attempt to exploit this vulnerability.

The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all the following conditions:
   * Apply the update that is included with Microsoft Security Bulletin
MS03-040 or a later Cumulative Security Update for Internet Explorer.
   * Use Internet Explorer 6 or later.
   * Use the Microsoft Outlook E-mail Security Update, use Microsoft
Outlook Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2
or later in its default configuration.

Workarounds for Shell Vulnerability
* Install the <http://go.microsoft.com/fwlink/?LinkId=33334> Outlook
E-mail Security Update if you are using Outlook 2000 SP1 or earlier to
help protect yourself from the HTML e-mail attack vector.
By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
<http://go.microsoft.com/fwlink/?LinkId=33334> Outlook E-mail Security
Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML
e-mail in the Restricted sites zone if Microsoft Security Bulletin
<http://go.microsoft.com/fwlink/?LinkId=19527> MS04-018 has been
installed. The Restricted sites zone helps reduce attacks that could
attempt to exploit this vulnerability.

Customers who use any of these products could be at a reduced risk from an
e-mail-borne attack that tries to exploit this vulnerability unless the
user clicks a malicious link in the e-mail message.

* Read e-mail messages in plain text format if you are using Outlook 2002
or later, or Outlook Express 6 SP1 or later, to help protect yourself from
the HTML e-mail attack vector.
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or
later and Microsoft Outlook Express 6 users who have applied Internet
Explorer 6 Service Pack 1 can enable this setting and view e-mail messages
that are not digitally signed or e-mail messages that are not encrypted in
plain text only.

Digitally signed e-mail messages or encrypted e-mail messages are not
affected by the setting and may be read in their original formats. For
more information about enabling this setting in Outlook 2002, see
Microsoft Knowledge Base Article
<http://support.microsoft.com/default.aspx?scid=kb;en-us;307594> 307594.

For information about this setting in Outlook Express 6, see Microsoft
Knowledge Base Article <http://support.microsoft.com/?kbid=291387>
291387.

Impact of Workaround: E-mail messages that are viewed in plain text format
will not contain pictures, specialized fonts, animations, or other rich
content. In addition:
   * The changes are applied to the preview pane and to open messages.
   * Pictures become attachments so that they are not lost.
   * Because the message is still in Rich Text or HTML format in the
store, the object model (custom code solutions) may behave unexpectedly.

FAQ for Shell Vulnerability
What is the scope of the vulnerability ?
This is remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating new
accounts with full privileges. However, user interaction is required to
exploit this vulnerability. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges.

What causes the vulnerability ?
Unchecked buffers in Windows Shell functions.

What is the Windows Shell ?
The Microsoft Windows user interface (UI) provides users with access to a
wide variety of objects that are necessary for running applications and
managing the operating system. The most numerous and familiar of these
objects are the folders and files that reside on computer disk drives.
There are also a number of virtual objects that allow the user to do tasks
such as sending files to remote printers or accessing the Recycle Bin. The
Shell organizes these objects into a hierarchical namespace and provides
users and applications with a consistent and efficient way to access and
manage objects. For more information, visit the following
<http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28000443> Web site.

What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could gain the
same privileges as the user. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges.

How could an attacker exploit the vulnerability ?
To exploit this vulnerability, an attacker would have to host a malicious
Web site and then persuade a user to view that Web site. An attacker could
also create an e-mail message that has a specially crafted link, and then
persuade a user to view the e-mail message and then click the malicious
link.

What systems are primarily at risk from the vulnerability ?
Workstations and terminal servers are primarily at risk. Servers are only
at risk if users are given the ability to log on and to run programs.
However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability ?
No. Although Windows Millennium Edition does contain the affected
component, the vulnerability is not critical. For more information about
severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet.

What does the update do ?
The update removes the vulnerability by modifying the way that the Windows
Shell validates the length of a message before it passes the message to
the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed ?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0214>
CAN-2004-0214.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited ?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information indicating that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.

Program Group Converter Vulnerability
A remote code execution vulnerability exists in Program Group Converter
because of the way that it handles specially crafted requests. An attacker
could exploit the vulnerability by constructing a malicious request that
could potentially allow remote code execution if a user performed an
action such as opening a file attachment or clicking a HTML link. If a
user is logged on with administrative privileges, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. However, user interaction is required to exploit this
vulnerability.

Mitigating Factors for Program Group Converter Vulnerability
* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's site. An attack could only occur after they performed this
action.
* An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system would be at less risk than users who
operate with administrative privileges.
* By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
<http://go.microsoft.com/fwlink/?LinkId=33334> Outlook E-mail Security
Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML
e-mail in the Restricted sites zone if Microsoft Security Bulletin
<http://go.microsoft.com/fwlink/?LinkId=19527> MS04-018 has been
installed. The Restricted sites zone helps reduce attacks that could
attempt to exploit this vulnerability.

The risk of attack from the HTML e-mail vector can be significantly
reduced if you meet all the following conditions:
   * Apply the update that is included with Microsoft Security Bulletin
<http://go.microsoft.com/fwlink?linkid=19873> MS03-040 or a later
Cumulative Security Update for Internet Explorer.
   * Use Internet Explorer 6 or later.
   * Use the Microsoft Outlook E-mail Security Update, use Microsoft
Outlook Express 6 or later, or use Microsoft Outlook 2000 Service Pack 2
or later in its default configuration.

Workarounds for Program Group Converter
* Install the <http://go.microsoft.com/fwlink/?LinkId=33334> Outlook
E-mail Security Update if you are using Outlook 2000 SP1 or earlier to
help protect yourself from the HTML e-mail attack vector.

Install the Outlook E-mail Security Update if you are using Outlook 2000
SP1 or earlier to help protect yourself from the HTML e-mail attack
vector.

By default, Outlook Express 6, Outlook 2002 and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
<http://go.microsoft.com/fwlink/?LinkId=33334> Outlook E-mail Security
Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML
e-mail messages in the Restricted sites zone if Microsoft Security
Bulletin <http://go.microsoft.com/fwlink/?LinkId=19527> MS04-018 has been
installed. The Restricted sites zone helps reduce attacks that could
attempt to exploit this vulnerability.

Customers who use any of these products could be at a reduced risk from an
e-mail-borne attack that tries to exploit this vulnerability unless the
user clicks a malicious link in the e-mail message.

For information about this setting in Outlook Express 6, see Microsoft
Knowledge Base Article <http://support.microsoft.com/?kbid=291387>
291387.

* Do not open or save .grp files that you receive from untrusted sources.
This vulnerability could be exploited when a user views a .grp file. Do
not open files that use this file name extension.

* Remove the association between .grp files and the grpconv.exe
application.
To enable the workaround, follow these steps the following steps as a
local administrator:
* Put the following code in a file named Un-grpconv.inf:
[Version]
Signature="$CHICAGO$"
[DefaultInstall]
DelReg=DisableGrpAssociation.DelReg
AddReg=DisableGrpAssociation.AddReg
[DisableGrpAssociation.DelReg]
HKCR,"MSProgramGroup"
[DisableGrpAssociation.AddReg]
HKCR,".grp",,,""
HKCR,"MSProgramGroup",,,""
[DisableGrpAssociation.AddReg.Security]
"D:(D;CI;6;;;WD)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;0x3001F;;;PU)(A;CIIOID;SDGWGR;;;PU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)"

* Right-click on Un-grpconv.inf and then click Install.

To disable the workaround and revert to default behavior, follow these
steps as a local administrator:

* Put the following code in a file named Grpconv.inf:
[Version]
Signature="$CHICAGO$"
[DefaultInstall]
DelReg=EnableGrpAssociation.DelReg
[EnableGrpAssociation.DelReg]
HKCR,"MSProgramGroup"
HKCR,".grp"

* Right-click on Grpconv.inf and then click Install.

FAQ for Program Group Converter
What is the scope of the vulnerability ?
This is remote code execution vulnerability. If a user is logged on with
administrative privileges, an attacker who successfully exploited this
vulnerability could take complete control of an affected system, including
installing programs; viewing, changing, or deleting data; or creating new
accounts with full privileges. Users whose accounts are configured to have
fewer privileges on the system would be at less risk than users who
operate with administrative privileges. However, user interaction is
required to exploit this vulnerability.

What causes the vulnerability ?
An unchecked buffer in the Program Group Converter application.

What is Program Group Converter ?
The Program Group Converter was used to convert Program Manager Group
files that were created in Windows 3.1, Windows 3.11, Windows for
Workgroups 3.1, and Windows for Workgroups 3.11 so that they could be used
by later operating systems. This application is also used during Windows
Setup and by third-party applications during the installation of
applications or devices. For more information about Program Group
Converter, visit the following
<http://support.microsoft.com/default.aspx?scid=kb;en-us;119941> Web site.

How could an attacker exploit the vulnerability ?
To exploit this vulnerability, an attacker could host a malicious Web site
and then persuade a user to visit that Web site. An attacker could also
create an HTML e-mail message that contains a specially crafted link, and
then persuade a user to view the HTML e-mail message and click the link.
An attacker could also send a specially crafted .grp file to a user, and
then persuade the user to open the file.

An attacker could also access the affected component through another
vector. For example, an attacker could use another program that passes
parameters to the vulnerable component (locally or remotely).

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability ?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium
Edition do contain the affected component, the vulnerability is not
critical. For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the
Internet.

What does the update do ?
The update removes the vulnerability by modifying the way that the Program
Group Converter application validates the length of a message before it
passes the message to the allocated buffer.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-037.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-037.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[UNIX] ocPortal File Inclusion Vulnerability"

Previous message: SecuriTeam: "[NT] Vulnerability in NetDDE Could Allow Remote Code Execution (MS04-031)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Windows Address Book Contact Record Vulnerability (MS06-076)
... Get your security news from a reliable source. ... Windows Address Book
Contact Record Vulnerability ... A remote code execution vulnerability in a component of
Outlook Express ... could allow an attacker who sent a Windows Address Book file to a user
of ... (Securiteam)
[NT] Windows Explorer COM Handling Remote Code Execution (MS06-015)
... Get your security news from a reliable source. ... A remote code execution in
Microsoft Windows Explorer's handling of COM ... A remote code execution vulnerability
exists in Windows Explorer because ... An attacker would need to convince ... (Securiteam)
SecurityFocus Microsoft Newsletter #61
... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft
Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of
security professionals with SecurityFocus ... (Focus-Microsoft)
SecurityFocus Microsoft Newsletter #176
... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler
Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ...
Microsoft Baseline Security Analyzer Vulnerability Identific... ... (Focus-Microsoft)
SecurityFocus Microsoft Newsletter #242
... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal
Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ...
The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending
a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination
source and port. ... (Focus-Microsoft)