[NT] Vulnerability in Step-by-Step Interactive Training Allow Code Execution (MS07-005)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerability in Step-by-Step Interactive Training Allow Code Execution
(MS07-005)
------------------------------------------------------------------------


SUMMARY

A remote code execution vulnerability exists in Step-by-Step Interactive
Training because of the way that Step-by-Step Interactive Training handles
bookmark link files. An attacker could exploit the vulnerability by
constructing a specially crafted bookmark link file that could potentially
allow remote code execution. An attacker who successfully exploited this
vulnerability could take complete control of an affected system. However,
user interaction is required to exploit this vulnerability.

DETAILS

Affected Software:
* Step-by-Step Interactive Training when installed on Microsoft Windows
2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=128c57af-663a-4476-92f5-aab394cfc91a> Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows
XP Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=128c57af-663a-4476-92f5-aab394cfc91a> Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows
XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=e268ffd5-295c-45f7-afd1-60007e791f8c> Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows
Server 2003 and Microsoft Windows Server 2003 Service Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=128c57af-663a-4476-92f5-aab394cfc91a> Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows
Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003
with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5eeedd28-47a5-4b30-a913-c1150330ecbe> Download the update
* Step-by-Step Interactive Training when installed on Microsoft Windows
Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2760120e-96b2-42b2-b5df-6322c9385729> Download the update

Mitigating Factors for Interactive Training Vulnerability - CVE-2006-3448:
* In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. Also, Web
sites that accept or host user-provided content or advertisements, and
compromised Web sites, may contain malicious content that could exploit
this vulnerability. In all cases, however, an attacker would have no way
to force users to visit these Web sites. Instead, an attacker would have
to persuade users to visit the Web site, typically by getting them to
click a link in an e-mail or Instant Messenger message that takes users to
the attacker's Web site.

* An attacker who successfully exploited this vulnerability could gain
the same user rights as the local user. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

* The vulnerability could not be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that is
sent in an e-mail message or must click a link that is provided in an
e-mail message.

Workarounds for Interactive Training Vulnerability - CVE-2006-3448:

Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Disable the handler for Step-by-Step Interactive Training bookmark link
files by removing the related registry keys.
Delete these keys to help reduce attacks. This workaround helps reduce
attacks by preventing Step-by-Step Interactive Training from automatically
opening the affected file types. The content can still be opened from
within the Step-by-Step Interactive Training user interface.

Important This bulletin contains information about how to modify the
registry. Make sure to back up the registry before you modify it. Make
sure that you know how to restore the registry if a problem occurs. For
more information about how to back up, restore, and modify the registry,
see Microsoft Knowledge Base Article 256986.

Warning Serious problems might occur if you modify the registry
incorrectly by using Registry Editor or by using another method. These
problems might require that you reinstall your operating system. Microsoft
cannot guarantee that these problems can be solved. Modify the registry at
your own risk.

1. Click Start, click Run, type regedt32, and then click OK.
2. In Registry Editor, locate the following registry:
HKEY_CLASSES_ROOT\.cbl (for Microsoft Press Interactive Training )
HKEY_CLASSES_ROOT\.cbm (for Interactive Training )
HKEY_CLASSES_ROOT\.cbo (for Microsoft Interactive Training )
3. For each subkey that is found, click the subkey, and then click DELETE.
4. In the Confirm Key Delete dialog box, click OK.

These actions can also be performed at a command prompt by using the
following commands in the following order:
reg.exe export HKCR\.cbl c:\cbl.reg
reg.exe delete HKCR\.cbl /f
reg.exe export HKCR\.cbm c:\cbm.reg
reg.exe delete HKCR\.cbm /f
reg.exe export HKCR\.cbo c:\cbo.reg
reg.exe delete HKCR\.cbo /f

Impact of Workaround: Step-by-Step Interactive Training bookmark files can
no longer be opened. The content can still be opened from within the
Step-by-Step Interactive Training user interface.

* Do not open or save Step-by-Step Interactive Training bookmark link
files (.cbo, .cbl, .cbm) that you receive from untrusted sources.
This vulnerability could be exploited when a user opens a .cbo, .cbl, or
cbm file. Do not open files that use these file name extensions. This
workaround does not cover other vectors of attack such as Web browsing.

* Remove Step-by-Step Interactive Training by using the Add or Remove
Programs tool in Control Panel.
To manually remove Step-by-Step Interactive Training from a system, follow
these steps.

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Add or Remove Programs.
3. In the Add or Remove Programs dialog box, click the name of the
affected program and then click Remove.

Note Affected versions are "Microsoft Press Interactive Training" and
"Interactive Training." However, removing these programs may not be a
complete workaround, because "Microsoft Interactive Training" does not
create an Add or Remove Programs entry. "Microsoft Interactive Training"
is based on the Orun32.exe file. Therefore, you must also manually verify
that the Orun32.exe file is not present on your system.

* Follow the instructions to complete the removal.

Impact of Workaround: After you remove the Step-by-Step Interactive
Training application, any applications that depend on Step-by-Step
Interactive Training will fail.

* Remove Step-by-Step Interactive Training.
Removing Step-by-Step Interactive Training will help prevent attacks.To
remove Step-by-Step Interactive Training, follow these steps:

1. Click Start, click Run, and type:
%windir%\IsUninst.exe -x -y -a -f"%windir%\orun32.isu"

Note You may have to replace "orun32.isu" with "mrun32.isu" or
"lrun32.isu," depending on the version of Step-by-Step Interactive
Training that is installed. If you have several of these versions
installed, you must remove them all.

Impact of Workaround: After you remove the Step-by-Step Interactive
Training application, any applications that depend on Step-by-Step
Interactive Training will fail.

* Delete or rename the Step-by-Step Interactive Training .ini program
file.
If Step-by-Step Interactive Training cannot be removed by using the
methods that are documented in this section of the security bulletin, you
may be able to help prevent attacks by deleting or renaming the physical
file. Delete or rename the %windir%\Orun32.ini file.

Note You may have to replace "Orun32.ini" with "Lrun32.ini or Mrun32.ini
depending on the version of Step-by-Step Interactive Training that is
installed.

Impact of Workaround: After you disable the Step-by-Step Interactive
Training application, any applications that depend on Step-by-Step
Interactive Training may fail.

FAQ for Interactive Training Vulnerability - CVE-2006-3448:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. If a user is logged on with
administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete data; or
create new accounts with full user rights. Users whose accounts are
configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.

What causes the vulnerability?
An unchecked buffer in the process that is used by Step-by-Step
Interactive Training to validate bookmark link files.

What is a bookmark link file?
Bookmark link files are created by using the Step-by-Step Interactive
Training user interface. These files allow a user the ability to quickly
and easily link to a particular topic. Bookmark link files are text files
that contain the information that is required by Step-by-Step Interactive
Training to view a topic.

What is Step-by-Step Interactive Training?
Step-by-Step Interactive Training is used as the engine for hundreds of
interactive training titles that are provided by Microsoft Press and other
vendors. The list of known titles that contain this software is provided
in <http://support.microsoft.com/kb/898458> Microsoft Knowledge Base
Article 898458. For more information about other available Microsoft Press
titles that may contain this software see the Microsoft Press Web site.
This Web site will only document titles that may contain this software.
Because of the nature of the distribution of this software by Microsoft,
by our manufacturing partners, and by our publishing partners, there is no
definitive list of all the titles that may have provided this software or
of manufacturers that may have preinstalled this software. We recommend
installing the available security update if you believe that this software
may be installed on your system. You can also use the information provided
in the "How do I know if I have Step-by-Step Interactive Training
installed on my system?" frequently asked question to scan your enterprise
for the affected files.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
An attacker that could construct a specially crafted file and then
persuade a user to visit a malicious Web site that opened this file, or an
attacker that could persuade a user to open a specially crafted attachment
provided in an e-mail message, could try to exploit this vulnerability.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted message and sending the message to an affected system. The message
could then cause the affected system to execute code.

There are several additional ways that an attacker could try to exploit
this vulnerability. However, user interaction is required to exploit this
vulnerability in each of these ways. Some examples follow:

* An attacker could exploit the vulnerability by constructing a malicious
Step-by-Step Interactive Training bookmark file (a .cbo, cbl, or .cbm
file) and then persuade the user to open the file.

* An attacked could send a malicious file as an attachment to a user
through e-mail and then convince a user to open the attachment.

* An attacker could host a malicious Web site that is designed to exploit
this vulnerability through Internet Explorer and then persuade a user to
view the Web site.

* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker could also try to compromise a Web site to have it deliver a
Web page that contains malicious content to try to exploit this
vulnerability. An attacker would have no way to force users to visit a Web
site. Instead, an attacker would have to persuade them to visit the Web
site, typically by getting them to click a link that takes them to the
attacker's Web site or to a Web site that has been compromised by the
attacker.

What systems are primarily at risk from the vulnerability?
Any operating system where Step-by-Step Interactive Training is installed
is at risk from this vulnerability. Because this software is typically
installed only on client systems, servers would typically not be at risk
from the vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that
Step-by-Step Interactive Training validates the contents of a bookmark
file before Step-by-Step Interactive Training copies the content into the
allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security Bulletin MS07-005.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-005.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-005.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages