[NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-016)

• Previous message: SecuriTeam: "[NT] Microsoft MSHTA Script Execution Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 13 Apr 2005 14:22:02 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerability in Windows Shell Allows Remote Code Execution (MS05-016)
------------------------------------------------------------------------

SUMMARY

A remote code execution vulnerability exists in the Windows Shell because
of the way that it handles application association. If a user is logged on
with administrative privileges, an attacker who successfully exploited
this vulnerability could take complete control of the affected system.
However, user interaction is required to exploit this vulnerability.

DETAILS

Vulnerable Systems:
 * Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000
Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=A7511A19-ADD5-4793-92AC-25E953CE405C> Download the update

 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=51679BB1-A61B-47AC-A943-F9F306EF987B> Download the update

 * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=D513C252-FF70-46E3-BD79-077A336A974D> Download the update

 * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
<http://www.microsoft.com/downloads/details.aspx?FamilyId=32ADAB00-6ED3-4418-8539-7FA468AD5DBD> Download the update

 * Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F803F008-5EE8-4BBE-8136-BC21708D1025> Download the update

 * Microsoft Windows Server 2003 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=32ADAB00-6ED3-4418-8539-7FA468AD5DBD> Download the update

 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Immune Systems:
 * Microsoft Windows Server 2003 Service Pack 1
 * Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
 * Microsoft Windows Server 2003 x64 Edition
 * Microsoft Windows XP Professional x64 Edition

An anonymous attacker could try to exploit the vulnerability by convincing
a user to open a specially crafted file. Opening this file could then
cause the affected system to run code. The vulnerability would generally
be exploited through unregistered file name extension types.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Mitigating Factors for Windows Shell Vulnerability:
 * The vulnerability could not be exploited automatically through e-mail
or through a Web page. For an attack to be successful through e-mail a
user must open an attachment that is sent in an e-mail message.
 * The vulnerability would generally be exploited through unregistered
file name extension types. Systems that block unknown file name extension
types or only allow known valid file name extension types would be at a
reduced risk from this vulnerability.

 * An attacker who successfully exploited this vulnerability could gain
the same privileges as the user. Users whose accounts are configured to
have fewer privileges on the system could be less impacted than users who
operate with administrative privileges.

Windows 98, Windows 98 Second Edition and Windows Millennium Edition
Status:
Although Windows 98, Windows 98 Second Edition, and Windows Millennium
Edition do contain the affected component, the vulnerability is not
critical.

Workaround:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Disable the HTML Application Host application:
This vulnerability takes advantage of functionality in the HTML
Application Host application. Disabling the association with this
application can help prevent attacks using this application. To disable
the HTML Application Host application, follow these steps:

1.Click Start, and then click Run.
2.Type %windir%\system32\mshta.exe /unregister without the quotation
marks, and then press ENTER.

Note: To reverse these changes, change /unregister to /register .

Impact of Workaround: This workaround removes the association between .hta
files and the HTML Application Host application. Users who try to load
hta files by double-clicking them in the Windows Shell will be prompted
to manually select an application to complete the loading of these file
types. This change helps prevent malicious use of the Windows Shell to
cause the HTML Application Host application to process other file name
extensions.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0063>
CAN-2005-0063

ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-016.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Microsoft MSHTA Script Execution Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]