[NT] Microsoft Interactive Training .cbo Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Interactive Training .cbo Overflow
------------------------------------------------------------------------


SUMMARY

A vulnerability in Microsoft's Interactive Training (cbo files) allows
remote attackers to supply a user a seamlessly harmless files which in
turn can be used to execute arbitrary code via overflowing of a buffer.

DETAILS

When thinking about buffer overflow vulnerabilities, a file can sometimes
be as harmful as a packet. Even though past security issues have taught us
that it is unwise to use a string from a file/packet without first
checking its length, this is what happened here.

MS Interactive Training will open a file with a .cbo extension and read in
the Syllabus details.

Through the creation of a corrupt file, with a long Syllabus string it is
possible to gain control of EIP and execute arbitrary code.
[Microsoft Interactive Training]
Topic=Using the Start Menu
Lesson=Getting Started with Windows XP Professional
User=DEFAULT
Syllabus=<long string>
Database=C:\Documents and Settings\All Users\Application Data\SBSI\ORUN\
SerialID=00000000

Exploitation:
Remote exploitation through Internet Explorer can be obtained through
hosting a malicious .cbo file which will be downloaded and opened
automatically.

Solutions:
Install the vendor supplied patch:
<http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx>
http://www.microsoft.com/technet/security/bulletin/MS07-005.mspx


ADDITIONAL INFORMATION

The information has been provided by
<mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx> Brett Moore.
The original article can be found at:
<http://www.security-assessment.com/files/advisories/MS_Interactive_Training_.cbo_Overflow_2.pdf> http://www.security-assessment.com/files/advisories/MS_Interactive_Training_.cbo_Overflow_2.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages