The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Windows Interactive Training Buffer Overflow (MS05-031)
------------------------------------------------------------------------
SUMMARY
Microsoft Interactive Training is "an application included with some OEM
versions of Windows XP that allows users to receive multimedia training on
a variety of software products".
Remote exploitation of a buffer overflow vulnerability in Microsoft's
orun32.exe application allows attackers to execute arbitrary code under
the context of the logged-on user.
DETAILS
Vulnerable Systems:
* Microsoft Interactive Training version 3.5.0.116 on Windows XP (other
versions suspected)
The problem specifically exists when processing a malformed .cbo file. A
typical .cbo file might have the following contents:
[Microsoft Interactive Training]
User=DEFAULT
SerialID=00000000
If a malicious user crafts a file to contain a long string in the User
field, the user-supplied value is copied to a fixed-size stack buffer.
This allows an attacker to overwrite stack memory, such as the saved
return address or a Structured Exception Handler (SEH) pointer, and gain
control of execution flow.
Exploitation of this vulnerability allows remote attackers to execute
arbitrary code under the privileges of the currently logged-on user.
Exploitation requires that an attacker convince a target user to open a
malicious .cbo file. It is a common default configuration in OEM versions
of Windows XP to allow .cbo files to be opened without confirmation via
Internet Explorer; this allows an attacker to use an IFRAME to force the
cbo file to be opened without interaction. Microsoft Windows Interactive
Training is included only in OEM versions of Windows XP, thus minimizing
the impact of this vulnerability.
To determine whether a given system is vulnerable, check for the presence
of the following registry key:
HKEY_CLASSES_ROOT\MITrain.Document\shell\open\command
If this key exists and contains a value, then the system has Interactive
Training installed, and it will process .cbo files.
Workaround:
Do not accept or open .cbo files from untrusted sources. Consider
filtering .cbo attachments at e-mail gateways.
To prevent .cbo files from being used with Microsoft Interactive Training,
remove the .cbo entry in HKEY_CLASSES_ROOT in the Windows Registry. To do
this, save the following text into a file called "fix.reg" and open it to
modify the registry:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\.cbo]
This will have the effect of disassociating .cbo files from the
Interactive Training application, which will limit functionality. However,
the application can still be used as before by manually opening the
executable and entering a username.
Vendor Status:
The vendor security advisory and appropriate patches are available at:
<http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx
Disclosure Timeline:
02.23.05 - Initial vendor notification
02.23.05 - Initial vendor response
06.14.05 - Coordinated public disclosure
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1212>
CAN-2005-1212
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=262&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=262&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment