Next Page >>
Windows Explorer
The vulnerability arises from the fact that there are other extensions such
as .svg, .mht, .mhtml that don't exist in the Chrome's malicious extension
blacklist and hence the user never gets a warning message before they are
auto downloaded to his or her computer. If these downloaded files are
clicked from the Chrome's download bar or Windows Explorer (which the user
is highely likely to click considering his or her trust in Chrome that it
warns for malicious extensions), they will automatically get opened in other
browsers and can be used to steal any file on the user's computer.
The reason for the name "Blended Browser Threats" is because here, Google
delivery mechanisms for binary planting attacks.
Some interesting findings:
- Clicking a link to a remote shared folder on a web page will open this share in
Windows Explorer without a warning for 67% of all Internet Explorer users.
- Clicking a link to a remote shared folder in an e-mail message will open this share
in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live
Mail users, regardless of their default web browser. (E-mail is the most likely
vector for targeted attacks on corporate and government networks.)
Internet Video Recording (IVR) files contain media content that is played and recorded by RealPlayer. A remote attacker could craft a malicious IVR file, that when sent to an unsuspecting user, may allow the execution of arbitrary code when viewed, using one of two vulnerabilities during RealPlayer's IVR processing routine:
* A heap corruption vulnerability that occurs when altering a field that determines the length of a structure
* A vulnerability that allows an attacker to write one null byte to an arbitrary memory address by using an overly long file name length value
It should be noted that the victim does not necessarily have to open the malicious file for exploitation to occur: the vulnerabilities lie in a DLL that is also used as a plugin for the Windows Explorer shell. A successful attack could take place by merely previewing the IVR file through Windows Explorer.
Solutions:
==========
The FortiGuard Global Security Research Team released the signature "RealNetworks.RealPlayer.IVR.File.Processing.Code.Execution"
1. Stop the Operations Manager for Windows console and its additional binaries, such as node editor.
2. From a command prompt, backup %OvInstallDir%\bin\srcvw4.dll
3. From a command prompt, copy OMW60_srcvw4.dll into %OvInstallDir%\bin\srcvw4.dll
4. Verify that %OvInstallDir%\bin\srcvw4.dll is now v4.0.1.2
Note: Steps 2 and 3 above must be performed from the Windows command line, not from Windows Explorer.
For Operations Manager for Windows v7.5
Verify the version of srcvw32.dll currently installed
and even shares located on Internet.
This vulnerability is exploitable through other products that F-Secure
products integrate with, most notably web browsers. One such example is a
combination of Mozilla Firefox and F-Secure Internet Security 2011. When
launched by double-clicking an .HTML file via Windows Explorer (or most
any other popular file manager), Firefox is started with the current
working directory (CWD) set to the folder where this file resides. If F-
Secure Internet Security is installed, Firefox displays its toolbar and
allows the user to view and edit the "Browsing protection" settings. These
get launched by Firefox and inherit its CWD, but they also integrate a
<?php
/*
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer
remote buffer overflow poc
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
If the resulting file is placed on the desktop, against ex. xp sp3
process explorer.exe will exit with code 1282 (0x502) that is
ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
3. There are some HTML tags which allow to embed contents from
external files and treat them with a specific format disregarding the
Description:
Passing the file protocol handler to a certain HTML allows to read local
files.
On Windows it is possible to create an instance of Windows Explorer by
calling an executable file. Other operating systems were not tested.
In detail, the following flaw was determined:
containing folder (e.g., menu: Window -> Downloads -> right-click on a
file -> Show Containing Folder), the malicious explorer.exe is launched
instead of the legitimate one.
Alternatively, if the HTML file opens (or redirects to) any "file://"
location, Safari's attempt to launch Windows Explorer will result in
launching the malicious explorer.exe.
Since Windows systems by default have the Web Client service running -
which makes remote network shares accessible via WebDAV -, the malicious
EXE can also be deployed from an Internet-based network share as long as
Two dynamically linked libraries (DLLs) were updated on the
Microsoft Windows platform to address the vulnerabilities that
are described in this advisory. These files are in the folder C:\
Program Files\WebEx\Record Playback or C:\Program Files (x86)\
Webex\Record Player. The version number of a DLL can be obtained
by browsing the Record Playback directory in Windows Explorer,
right-clicking on the file name, and choosing Properties. The
Version or Details tab of the Properties page provides details on
the library version. The following table gives the first fixed
version number for each DLL. If the installed versions are equal
to or greater than the versions provided in the table, the system
It is important to note that a SAMI file does not necessarily have to
end with a .smi or .sami extension. DirectShow will identify the file
based on the file contents.
If "Web View Content" is enabled in Windows Explorer, which is the
default setting, a single click will open the malicious file in the
preview pane and trigger the vulnerability.
DirectX 9.0c is listed as an optional update for Windows 2000 operating
system in Windows Update site. It is not listed as a critical update.
Problem confirmed on multiple Windows Explorer releases and also reproduced on antivirus softwares (same infinite loop consumming 100% CPU).
> > calls another popup in the previous Outlook space and then terminates
> > itself (that's close enough, anyway). The good news is that there is
no
> > "user hopping" or "boundary crossing" here.
>
> Sounds comparable to what the Windows Explorer does when
> it is not expicitly set to run as a separate process (or
> started with the /separate switch).
>
> Is there some design principle behind this kind of behaviour?
>
The vendor did not provide fixes or workaround information.
To prevent the accidental execution of malicious scripting files you
can disable the default file association of the dangerous file
extensions in the Windows Explorer. The following KB article from
Microsoft describe how to deassociate a file extension.
http://support.microsoft.com/kb/307859
6. *Credits*
victim to open it. This can be accomplished by embedding the PDF file
into an IFRAME inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enable in Windows Explorer, this vulnerability can be
triggered simply by accessing a folder containing PDF files.
IV. DETECTION
Acrobat Reader and Acrobat Professional versions 7.1.0, 8.1.3, 9.0.0 and
victim to open it. This can be accomplished by embedding the PDF file
into an IFrame inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enabled in Windows Explorer, Acrobat will try to generate a
preview for PDF files when a folder containing PDF files is accessed,
thus triggering the exploitation.
IV. DETECTION
> > itself (that's close enough, anyway). The good news is that there
is
> no
> > "user hopping" or "boundary crossing" here.
>
> Sounds comparable to what the Windows Explorer does when
> it is not expicitly set to run as a separate process (or
> started with the /separate switch).
>
> Is there some design principle behind this kind of behaviour?
>
where X is an integer like 1,2,3, depending on the Internet Explorer
choice.
The cookies folder is hardcoded inside the Explorer engine as a
restricted site. You can check it by looking at the status bar when
browsing this folder with Windows Explorer.
When requesting a resource, for example, in the 'src' attribute of an
HTML 'img' tag, Internet Explorer allows the usage of 'smb' URIs. So,
when IE attempts to render the following line:
> > running in the same interactive logon space, and when it starts, it just
> > calls another popup in the previous Outlook space and then terminates
> > itself (that's close enough, anyway). The good news is that there is no
> > "user hopping" or "boundary crossing" here.
>
>Sounds comparable to what the Windows Explorer does when
>it is not expicitly set to run as a separate process (or
>started with the /separate switch).
Or what firefox, mozilla and other do when you start them on the command
Feb 08, 2011
I. BACKGROUND
The Windows Picture and Fax Viewer "shimgvw.dll" library is used by
Windows Explorer to generate thumbnail previews for media files.
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability in multiple
versions of Microsoft Corp.'s Windows could allow attackers to execute
> exist.
I can partly agree with this for local attacks where attacker places a
malicious file - be it .ppt or .exe - somewhere on user's computer or
USB drive and get the user to double-click it. With a remote attack of
this type, Windows Explorer will issue a security warning if you
double-click an .exe on a remote share, but will let you double-click
a .ppt without such warning. It's hard to say what percentage of users
would actually be stopped by such warning but I'd consider it a part
of the security model.
> running in the same interactive logon space, and when it starts, it just
> calls another popup in the previous Outlook space and then terminates
> itself (that's close enough, anyway). The good news is that there is no
> "user hopping" or "boundary crossing" here.
Sounds comparable to what the Windows Explorer does when
it is not expicitly set to run as a separate process (or
started with the /separate switch).
Is there some design principle behind this kind of behaviour?
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
ClickOnce will show a warning dialog similar to the dialog shown in
figure 1. This specifically happens when the ClickOnce application files
are saved in the Temporary Internet Files folder using Internet
Explorer; for example using object tags with the type attribute set to
text/plain. If the deployment manifest is opened (i.e. using Windows
Explorer), the warning is shown.
Permissions in the Local Machine security zone
Prior to Windows XP Service Pack 2 if a web page was loaded in the Local
Machine security zone, it was granted full privileges. For example, it
CA ARCserve Replication and High Availability r15.2
How to determine if the installation is affected
1. Using Windows Explorer, locate the file "mng_core_com.dll". By
default in r12.0 and r12.5, the file is located in the
"C:\Program Files\CA\XOsoft\Manager" directory. For r15.0 sp1, the
file is located in the "C:\Program Files\CA\ARCserve RHA\Manager"
directory.
2. Right click on the file and select Properties.
CA ARCserve D2D r15
How to determine if the installation is affected
Using Windows Explorer, go to the directory
"<D2D_HOME>\TOMCAT\webapps\WebServiceImpl", and look for the existence
of a folder called "axis2-web".
Solution
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
CA Host-Based Intrusion Prevention System 8.1 CF 1
How to determine if the installation is affected
1. Using Windows Explorer, locate the file "kmxIds.sys". By
default, the file is located in the
"C:\Windows\system32\drivers\" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is less than indicated in the below table, the
Alternatively, use the file information below to determine if the
product installation is vulnerable.
CA ARCserve Backup r11.1 Windows:
1. Using Windows Explorer, locate the file "DBserver.dll". By
default, the file is located in the
"C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on the file and select Properties.
&searchID=RO04648
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
vulnerable.
Next Page>>
|
