[NT] Microsoft Windows Object Packager Dialog Spoofing
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 11 Oct 2006 18:28:07 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Object Packager Dialog Spoofing
------------------------------------------------------------------------
SUMMARY
Secunia Research has discovered a vulnerability in Microsoft Windows,
which can be exploited by malicious people to conduct spoofing attacks.
DETAILS
Affected Software:
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
* Microsoft Windows 2000 Service Pack 4
The vulnerability is caused due to an input validation error in the Object
Packager (packager.exe) in the handling of the "Command Line" property.
This can be exploited to spoof the filename and the associated file type
in the Packager security dialog by including a "/" slash character in the
"Command Line" property.
Example:
cmd /c [shell command] /[file].txt
This can further be exploited to execute arbitrary shell commands on a
user's system by tricking a user into opening and interacting with e.g. a
malicious Rich Text document or Word document containing an embedded
Package object in e.g. WordPad.
Solution:
See solution provided at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-065.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-065.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4692>
CVE-2006-4692
Time Table:
28/06/2006 - Vendor notified.
28/06/2006 - Vendor response.
11/09/2006 - Vendor contacted (status requested).
10/10/2006 - Vendor issues security bulletin MS06-065.
11/10/2006 - Public disclosure.
ADDITIONAL INFORMATION
The information has been provided by <mailto:remove-vuln@xxxxxxxxxxx>
Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2006-54/>
http://secunia.com/secunia_research/2006-54/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
- Next by Date: [NT] Vulnerabilities in Microsoft Excel Allows Code Execution (MS06-059)
- Previous by thread: [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
- Next by thread: [NT] Vulnerabilities in Microsoft Excel Allows Code Execution (MS06-059)
- Index(es):
Relevant Pages
|
