[NT] Windows Explorer COM Handling Remote Code Execution (MS06-015)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Windows Explorer COM Handling Remote Code Execution (MS06-015)
------------------------------------------------------------------------


SUMMARY

A remote code execution in Microsoft Windows Explorer's handling of COM
objects allows attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AE28BC65-3A5E-4497-AD05-2CDE8E7B5E95> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=392C2F1B-AA24-48E5-8D5B-EA56341DB936> Download the update
* Microsoft Windows XP Professional x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=11A5195E-3F32-41F9-AB39-68A099EE945D> Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=099EE535-8B31-4356-B3FB-EF524C20A424> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E3C7E736-1583-4BD5-B661-A9AADDFA5B86> Download the update
* Microsoft Windows Server 2003 x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=238AB809-5A7E-4678-B01B-38FD82E9C701> Download the update
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME) Review the FAQ section of this
bulletin for details about these operating systems.

Windows Shell Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>
CVE-2006-0012:
A remote code execution vulnerability exists in Windows Explorer because
of the way that it handles COM objects. An attacker would need to convince
a user to visit a Web site that could force a connection to a remote file
server. This remote file server could then cause Windows Explorer to fail
in a way that could allow code execution. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system.

Mitigating Factors for Windows Shell Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>
CVE-2006-0012:
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.

* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a malicious Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions.

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* The Restricted sites zone helps reduce attacks that could try to
exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail. However, if a user
clicks on a link within an e-mail they could still be vulnerable to this
issue through the Web-based attack scenario described previously.

By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML
e-mail messages in the Restricted sites zone. Additionally, Outlook 98 and
Outlook 2000 open HTML e-mail messages in the Restricted sites zone if the
<http://go.microsoft.com/fwlink/?LinkId=33334> Outlook E-mail Security
Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML
e-mail messages in the Restricted sites zone if Microsoft Security
Bulletin <http://go.microsoft.com/fwlink/?LinkId=19527> MS04-018 has been
installed.

* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful a user must open an attachment or click on
a link that is sent in an e-mail message.

Workarounds for Windows Shell Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>
CVE-2006-0012:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Disable the Web Client service

Disabling the Web Client service will help protect the affected system
from attempts to exploit this vulnerability. To disable the Web Client
service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click WebClient.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.

You can also stop and disable the Web Client service by using the
following command at the command prompt:

sc stop WebClient & sc config WebClient start= disabled

Impact of Workaround: If the Web Client service is disabled, Web
Distributed Authoring and Versioning (WebDAV) requests are not
transmitted. If the Web Client service is disabled, any services that
explicitly depend on the Web Client service will not start, and an error
message will be logged in the System log. Windows Server 2003 users will
not be able to use the "Open as Web Folder" functionality.

* Use the Group Policy settings to disable the WebClient service on all
affected systems that do not require this feature.
Because the Web Client service is a possible attack vector, disable the
service by using the Group Policy settings. You can disable the startup of
this service at either the local, site, domain, or organizational-unit
level by using Group Policy object functionality in Windows 2000 domain
environments or in Windows Server 2003 domain environments.

Note You may also review the
<http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx> Windows Server 2003 Security Guide. This guide includes information about how to disable services.

For more information about Group Policy, visit the following Microsoft Web
sites:
*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx> Step-by-Step Guide to Understanding the Group Policy Feature Set
*
<http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp> Windows 2000 Group Policy
*
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/gp/default.mspx> Group Policy in Windows Server 2003

Impact of Workaround: If the Web Client service is disabled, Web
Distributed Authoring and Versioning (WebDAV) requests are not
transmitted. If the Web Client service is disabled, any services that
explicitly depend on the Web Client service will not start, and an error
message will be logged in the System log. Windows Server 2003 users will
not be able to use the "Open as Web Folder" functionality.

Block TCP ports 139 and 445 at the firewall:
Although WebDAV uses TCP port 80 for outbound communication, TCP ports 139
and 445 can be used inbound to attempt to connect to this service and try
to exploit this vulnerability. Blocking them at the firewall can help
prevent systems that are behind that firewall from attempts to exploit
this vulnerability. We recommend that you block all unsolicited inbound
communication from the Internet to help prevent attacks that may use other
ports. For more information about ports, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21312> Web site.

FAQ for Windows Shell Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0012>
CVE-2006-0012:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

If a user is logged on with administrative user rights, an attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights. Users whose
accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

What causes the vulnerability?
Windows Explorer could allow COM objects to be used to execute arbitrary
code.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if users who do not have sufficient administrative
permissions are given the ability to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition
critically affected by this vulnerability?
Yes. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
are critically affected by this vulnerability. Critical security updates
for these platforms may not be available concurrently with the other
security updates provided as part of this security bulletin. They will be
made available as soon as possible following the release. When these
security updates are available, you will be able to download them only
from the <http://go.microsoft.com/fwlink/?LinkId=21130> Windows Update
Web site. For more information about severity ratings, visit the following
<http://go.microsoft.com/fwlink/?LinkId=21140> Web site.

What does the update do?
The update removes the vulnerability by preventing specially crafted files
and directories from invoking arbitrary code without specific user
interaction.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

Note The update for this vulnerability also addresses a publicly disclosed
variation that has been assigned Common Vulnerability and Exposure number
CVE-2004-2289.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Secrity.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-015.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages