[NT] Microsoft Windows Interactive Training Buffer Overflow (MS05-031)

From: SecuriTeam (support_at_securiteam.com)
Date: 06/15/05

  • Next message: SecuriTeam: "[NT] Vulnerability in Step-by-Step Interactive Training Allows Remote Code Execution (MS05-031)" 
    To: list@securiteam.com
Date: 15 Jun 2005 16:15:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Windows Interactive Training Buffer Overflow (MS05-031)
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft Interactive Training is "an application included with some OEM
    versions of Windows XP that allows users to receive multimedia training on
    a variety of software products".

    Remote exploitation of a buffer overflow vulnerability in Microsoft's
    orun32.exe application allows attackers to execute arbitrary code under
    the context of the logged-on user.

    DETAILS

    Vulnerable Systems:
     * Microsoft Interactive Training version 3.5.0.116 on Windows XP (other
    versions suspected)

    The problem specifically exists when processing a malformed .cbo file. A
    typical .cbo file might have the following contents:
    [Microsoft Interactive Training]
    User=DEFAULT
    SerialID=00000000

    If a malicious user crafts a file to contain a long string in the User
    field, the user-supplied value is copied to a fixed-size stack buffer.
    This allows an attacker to overwrite stack memory, such as the saved
    return address or a Structured Exception Handler (SEH) pointer, and gain
    control of execution flow.

    Exploitation of this vulnerability allows remote attackers to execute
    arbitrary code under the privileges of the currently logged-on user.
    Exploitation requires that an attacker convince a target user to open a
    malicious .cbo file. It is a common default configuration in OEM versions
    of Windows XP to allow .cbo files to be opened without confirmation via
    Internet Explorer; this allows an attacker to use an IFRAME to force the
    cbo file to be opened without interaction. Microsoft Windows Interactive
    Training is included only in OEM versions of Windows XP, thus minimizing
    the impact of this vulnerability.

    To determine whether a given system is vulnerable, check for the presence
    of the following registry key:
    HKEY_CLASSES_ROOT\MITrain.Document\shell\open\command

    If this key exists and contains a value, then the system has Interactive
    Training installed, and it will process .cbo files.

    Workaround:
    Do not accept or open .cbo files from untrusted sources. Consider
    filtering .cbo attachments at e-mail gateways.

    To prevent .cbo files from being used with Microsoft Interactive Training,
    remove the .cbo entry in HKEY_CLASSES_ROOT in the Windows Registry. To do
    this, save the following text into a file called "fix.reg" and open it to
    modify the registry:

    Windows Registry Editor Version 5.00
       [-HKEY_CLASSES_ROOT\.cbo]

    This will have the effect of disassociating .cbo files from the
    Interactive Training application, which will limit functionality. However,
    the application can still be used as before by manually opening the
    executable and entering a username.

    Vendor Status:
    The vendor security advisory and appropriate patches are available at:
     <http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx>
    http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx

    Disclosure Timeline:
    02.23.05 - Initial vendor notification
    02.23.05 - Initial vendor response
    06.14.05 - Coordinated public disclosure

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1212>
    CAN-2005-1212

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=262&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=262&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Vulnerability in Step-by-Step Interactive Training Allows Remote Code Execution (MS05-031)"
    • Quantcast