Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2625
HistoryMar 12, 2002 - 12:00 a.m.

ADVISORY: Windows Shell Overflow

2002-03-1200:00:00
vulners.com
16
JSON

Windows Shell Overflow

Release Date:
March 8, 2002

Severity:
Medium

Systems Affected:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000

Description:
There exists a buffer overflow vulnerability within the Windows Shell that
can lead to execution of malicious code. The vulnerability exists in how
the Windows Shell manipulates URL handlers that point to programs that do
not exist.

The Windows Shell exposes functionality to allow developers to write their
own custom URL handlers. For example programs such as, ICQ, AIM, MS
Conference, mIRC, Windows Media Player, Outlook/Express, etc… install
their own custom URL handlers so that functionality can be passed from a
URL to a program.

So for example we could write a custom URL handler called "eeye" and then
anytime someone performed a request for eeye://data the data would be
passed to whatever program was written to handle the eeye URL.

Now the problem arises when a URL handler has been mapped, in the system
registry, to a program that does not exist.

For example AOL Instant Messenger installs a URL handler to
HKEY_CLASSES_ROOT\aim. The reason we know AIM is a URL handler is because
of the existence of the key "URL Protocol" tells the windows shell that Aim
is a URL handler.

By enumerating the registry for "URL Protocol" keys we can determine all of
the installed URL handlers.

Next we identify a URL handler that is installed yet mapped to a
non-existent program.

The mapping to the URL handler is in the form of:
HKEY_CLASSES_ROOT\urlhandler\shell\open\command and whatever executable is
pointed to by (Default) is the executable to handle that specific URL.

As stated the vulnerability is within the Windows Shell code that handles
URL's that point to a non-existent URL handler.

So if the AIM handler (HKEY_CLASSES_ROOT\aim\shell\open\command) was
pointing to a file that did not exist then that URL handler could be
exploited via a buffer overflow in the data passed to the URL handler.

For example: aim://overflow
Where overflow is 324 or so bytes. At this point we take control of EIP and
can control the flow of execution within the program. Which means we can
make our victim execute any code we wish.

It is very important to clarify there is no problem within AIM or the URL
handler program itself. The problem lies within vulnerable code within the
Microsoft Windows Shell.

Reasons for certain URL handlers becoming exploitable could be, a program is
uninstalled and the uninstaller does not cleanly remove the mapping in the
registry, or a user deletes the program folder which leaves the URL mapping
to a invalid file.

On a default installation of Windows the buffer overflow does exist although
exploiting it is impossible because there are no default URL handlers
pointing to a file that doesn't exist. However over time after programs are
installed and removed a system will become vulnerable.

This vulnerability is a local vulnerability although because of the
integrated nature of windows it is possible to exploit this vulnerability
remotely using any program that supports URL. For example we could email
this attack URL within an Outlook email or we could put this attack URL
within an "evil web page" and then get users to visit the web page. There
are many different ways to remotely make a system process these "evil
URL's" in order to gain control.

When you exploit this vulnerability, locally or remotely, your code will
execute with the permissions of that of the user being attacked. So if the
user executing this evil URL is Administrator then your attack code will
execute as Administrator.

There are a few variables to a system being vulnerable to this buffer
overflow however we still encourage users to install the Microsoft patch as
soon as possible.

Vendor Status:
Microsoft has released a patch and security bulletin which is located at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-014.asp

CVE ID: CAN-2002-0070
This is a candidate for inclusion in the CVE list http://cve.mitre.org which
standardizes names for security problems.

Credit:
Marc Maiffret

Related Links:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-014.asp

Greetings:
Mr. Self Destruct and his Lollipop

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent
of eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [email protected] for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
[email protected]

Related

seebug 1
cve 1
cert 1
nessus 1
seebug
seebug
MS02-014:Windows Shell 未检查缓冲器 - NT4
2008-07-16 00:00:00
cve
cve
CVE-2002-0070
2002-03-15 05:00:00
cert
cert
Buffer overflow in Microsoft Windows Shell
2002-04-08 00:00:00
nessus
nessus
MS02-014: Unchecked buffer in Windows Shell (313829)
2003-03-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:2625
seebug1cve1cert1nessus1