[SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow

From: Secure Net Service(SNS) Security Advisory (snsadvat_private)
Date: Wed Jul 02 2003 - 18:44:44 PDT

Next message: ace@static-x.org: "[STX] Multiple Security Vulnerabilities"

Previous message: Conectiva Updates: "[CLA-2003:672] Conectiva Security Announcement - unzip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------
SNS Advisory No.65
Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow

Problem first discovered: Thu, 5 Dec 2002
Published: Thu, 03 Jul 2003
Reference: http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html
----------------------------------------------------------------------

Overview:
---------
  A buffer overflow vulnerability exists in the Windows 2000 API 
  ShellExecute() function.


Problem Description:
-------------------
  Windows API ShellExecute() is a function to run an application 
  associated with a specified file extension.

  The problem is triggered when the pointer to an unusually long string 
  is set to the 3rd argument of the Windows 2000 API Shell Execute() 
  API function.

  It has been confirmed that several applications containing web browser, 
  MUA and text editor are vulnerable to this problem.


Tested Version:
---------------
  SHELL32.DLL (Version 5.0.3502.6144)


Solution:
---------
  This problem can be rectified by installing Windows 2000 Service Pack 4.
  http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

  Microsoft is considering public presentation of the further information
  about this problem.


Discovered by:
--------------
  Yuu Arai y.araiat_private
  Hisayuki Shinmachi


Acknowledgements:
-----------------
Thanks to:
  RimArts, Inc. Tomohiro Norimatsu
  Security Response Team of Microsoft Asia Limited


Disclaimer: 
-----------
The information contained in this advisory may be revised without prior 
notice and is provided as it is. Users shall take their own risk when 
taking any actions following reading this advisory. LAC Co., Ltd. shall 
take no responsibility for any problems, loss or damage caused by, or by 
the use of information provided here.

This advisory can be found at the following URL: 
http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadvat_private>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

Next message: ace@static-x.org: "[STX] Multiple Security Vulnerabilities"
Previous message: Conectiva Updates: "[CLA-2003:672] Conectiva Security Announcement - unzip"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 13:02:27 PDT