[NT] Vulnerabilities in Windows Shell Allows Remote Code Execution (MS05-049)

• Previous message: SecuriTeam: "[NT] Vulnerability in DirectShow Allows Remote Code Execution (MS05-050)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 Oct 2005 10:17:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Vulnerabilities in Windows Shell Allows Remote Code Execution (MS05-049)
------------------------------------------------------------------------

SUMMARY

Several vulnerabilities in Windows' Shell allows remote attackers to cause
an unsuspecting user to execute arbitrary code.

DETAILS

Affected Software:
 * Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1F063C4A-B0BF-49C6-928B-F1F076C69612> Download the update
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F7241DEB-9E2D-401A-9D71-10ACAB4450AF> Download the update
 * Microsoft Windows XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=594AD01B-F333-4C56-9C12-D1A8B82F2A6E> Download the update
 * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1A4FCFDE-E549-4078-A180-076A23CB8BB7> Download the update
 * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=3BA63AF8-3D36-4F3C-BFEE-11B62572AF73> Download the update
 * Microsoft Windows Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=994B14B4-EE98-4B61-BDBE-CA5C20094855> Download the update

Non-Affected Software:
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)

Shell Vulnerability - CAN-2005-2122:
A remote code execution vulnerability exists in Windows because of the way
that it handles the .lnk file name extension. By persuading a user to open
an .lnk file that has specially-crafted properties an attacker could
execute code on an affected system.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122>
CAN-2005-2122

Mitigating Factors for Shell Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site. After they click the link, they would be prompted to
perform an action. An attack could only occur after they performed this
actions.

 * The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful a user must open an attachment that is sent
in an e-mail message.

 * To exploit this vulnerability locally the attacker must have valid
logon credentials and be able to log on. The vulnerability could not be
exploited remotely or by anonymous users.

FAQ for Shell Vulnerability:
What is the scope of the vulnerability?
A remote code execution vulnerability exists in Windows because of the way
that it handles files with the .lnk file name extension. An attacker could
exploit the vulnerability by persuading a user to open an .lnk file that
has specially-crafted properties. An attacker who successfully exploited
this vulnerability could execute code on the affected system. However,
user interaction is required to exploit this vulnerability.

What causes the vulnerability?
The way that Windows handles certain properties that are associated with
lnk files.

What are .lnk files?
An .lnk file is a file that is used to point to another file, such as a
program. These files are often known as shortcut files and can contain
properties that are passed to the target program.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted .lnk file to a
user, and then persuade that user to open the .lnk file, could try to
exploit this vulnerability.

How could an attacker exploit the vulnerability?
To exploit this vulnerability locally, an attacker must be able to log on
to the specific system that is targeted for attack or persuade a user to
open a specially-crafted .lnk file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who have administrative permissions log on to
servers and open specially-crafted .lnk files.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack or persuade a user to open a specially-crafted .lnk
file.

What does the update do?
The update removes the vulnerability by modifying the way that Windows
processes files that use the .lnk file name extension.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Shell Vulnerability - CAN-2005-2118:
A remote code execution vulnerability exists in Windows because of the way
that it handles files with the .lnk file name extension. By persuading a
user to view the properties of a specially-crafted .lnk file, an attacker
could execute code on the affected system.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2118>
CAN-2005-2118

Mitigating Factors for Shell Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site. After they click the link, they would be prompted to
perform an action. An attack could only occur after they performed this
action.

 * The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that is
sent in an e-mail message.

 * To exploit this vulnerability locally, the attacker must have valid
logon credentials and be able to log on. The vulnerability could not be
exploited remotely or by anonymous users.

FAQ for Shell Vulnerability:
What is the scope of the vulnerability?
A remote code execution vulnerability exists in Windows because of the way
that it handles files with the .lnk file name extension. An attacker could
exploit the vulnerability by persuading a user to view the properties of
an .lnk file that contains specially-crafted properties. An attacker who
successfully exploited this vulnerability could execute code on the
affected system. However, user interaction is required to exploit this
vulnerability.

What causes the vulnerability?
This vulnerability is attributed to the way Windows handles certain
properties that are associated with .lnk files.

What are .lnk files?
An .lnk file is a file that is used to point to another file, such as a
program. These files are often known as shortcut files and can contain
properties that are passed to the target program.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted .lnk file to a
user, and then persuade that user to open the .lnk file, could try to
exploit this vulnerability.

How could an attacker exploit the vulnerability?
To locally this vulnerability locally, an attacker must be able to log on
to the specific system that is targeted for attack or persuade a user to
right click and view the properties of a specially-crafted .lnk file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and open
specially-crafted .lnk files. However, best practices strongly discourage
allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack or persuade a user to open on a specially-crafted .lnk
file.

What does the update do?
The update removes the vulnerability by modifying the way that Windows
handles malformed .lnk file properties before passing them to allocated
buffers.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Web View Script Injection Vulnerability:
A remote code execution vulnerability exists in the way that Web View in
Windows Explorer handles certain HTML characters in preview fields. By
persuading a user to preview a malicious file, an attacker could execute
code. However, user interaction is required to exploit this vulnerability.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2117>
CAN-2005-2117

Mitigating Factors for Web View Script Injection Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site. After they click the link, they would be prompted to
perform an action. An attack could only occur after they performed these
actions.

 * An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

 * The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful through e-mail a user must save an
attachment locally and then preview it in Windows Explorer.

Workarounds for Web View Script Injection Vulnerability:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

 * Disable Web View:
Disabling Web View will reduce the ability to maliciously use this feature
to perform an attack. To disable Web View, follow these steps:

1. Click Start, and then click My Computer.
2. Click Tools menu, and then click Folder Options.
3. On the General tab, under Tasks, click Use Windows classic folders, and
then click OK.

These settings take affect only after you log off the system and then log
back on again.

Impact of Workaround: This change will reduce the functionality of Windows
Explorer by removing the left hand task pane which contains links to
common folders and tasks.

 * Use the Group Policy settings to disable Web View on all affected
systems that do not require this feature:
Disabling Web View will reduce the ability to maliciously use this feature
to perform an attack.

For more information about Group Policy, visit the following Web sites:
 * Step-by-Step Guide to Understanding the Group Policy Feature Set
 * Windows 2000 Group Policy

Impact of Workaround: This change will reduce the functionality of Windows
Explorer by removing the task pane, which contains links to common folders
and tasks.

 * Block TCP ports 139 and 445 at the perimeter firewall:

These ports are used to initiate a connection by using the Server Message
Block (SMB) protocol. Blocking outbound SMB traffic at the perimeter
firewall will help prevent systems from trying to connect to a malicious
file server outside the firewall. For more information about the ports,
visit the following Web site.

Impact of Workaround: Computers that are behind the firewall will be
unable to access trusted file servers by using the Server Message Block
(SMB) protocol outside the network.

FAQ for Web View Script Injection Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. By persuading a user to
preview a malicious file, an attacker could execute code. If a user is
logged on with administrative user rights, an attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. Users whose accounts
are configured to have fewer user rights on the system could be less
impacted than users who operate with administrative user rights. However,
user interaction is required to exploit this vulnerability.

What causes the vulnerability?
The process that Windows Explorer uses to validate HTML characters in
certain document fields when in Web View.

What is Web View?
Web View is one of two formats that Windows Explorer provides to view file
and folder information. This feature allows a user to preview a file or
folder in a thumbnail view before they open it. Web View also displays
information about that file or folder, such as the title and the author.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a malicious
file and placing it in a local or remote location. The attacker would then
have to persuade a user to connect to the folder in Windows Explorer and
preview the document. The document could then cause the affected system to
execute code.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs.

What does the update do?
The update addresses the vulnerability by modifying the way that Windows
Explorer validates HTML characters in certain file fields.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx>
http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Vulnerability in DirectShow Allows Remote Code Execution (MS05-050)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]