RE: Unchecked buffer in mstask.dll
In MS02-022 the only workaround Microsoft lists is this: "Do not open or
save .job files that you receive from untrusted sources."
As you mentioned, this vulnerability can be triggered automatically
without user interaction and without opening or saving .job files by
navigating to an explorer folder that contains a malicious .job file,
which can be done either locally, remotely on a webpage or inside an
HTML email.
The primary cause of this automated exploitation is the concept of
dynamic icon handlers. For an introduction to these, read the "Creating
Icon Handlers" article at
http://msdn.microsoft.com/library/en-us/shellcc/platform/shell/programme
rsguide/shell_int/shell_int_extending/extensionhandlers/iconhandlers.asp
(short: http://tinyurl.com/3uanu )
To quote:
"An icon handler is a type of Shell extension handler that allows you to
dynamically assign icons to the members of a file class. Every time a
file from the class is displayed, the Shell queries the handler for the
appropriate icon. For instance, an icon handler can assign different
icons to different members of the class, or vary the icon based on the
current state of the file."
To summarize, every time you open a directory in an Explorer window,
Explorer will examine each and every filetype in that directory and
determine whether each filetype has an associated icon handler. When you
look at .job files you get a reference to the JobObject entry in
HKLM\Software\Classes\JobObject which in turn has a shellex\IconHandler
entry that points at {DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} whose
InProcServer32 is mstask.dll that is automatically launched without user
interaction.
You can completely mitigate against automated exploitation of this
vulnerability simply by deleting or renaming the following registry
entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JobObject\shellex\IconHandler
The only noticable difference is that your .job files will not have as
pretty of an icon.
I'm positive that following your advisory we will find other
vulnerabilities involving dynamic icon handlers. It's quite easy to
mitigate against this potential impact simply by removing all dynamic
icon handlers and I'll be testing the cosmetic impact of this in the
days to come.
Removing the automated attack vector means that the only way to have
this exploited is to convince the user to launch Task Scheduler and
import your malicious .job file.
As Brett mentions, Qwik-Fix Pro protects against automated remote
exploitation of this vulnerability and you can get a free copy at
http://qwik-fix.net/.
Microsoft should update the MS02-022 bulletin to reflect that automated
exploitation is possible. Currently, the only listed affected software
is Windows 2000 but I had no problems reproducing this on Windows XP as
well. Since there is no patch available for Windows XP to fix this
vulnerability the only workaround is to disable the dynamic icon handler
for JobObject files, as described above.
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Brett Moore [mailto:brett.moore@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, July 13, 2004 10:51 PM
To: Bugtraq@Securityfocus. Com
Subject: Unchecked buffer in mstask.dll
========================================================================
= Unchecked buffer in mstask.dll
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
=
= Affected Software:
= Microsoft Windows 2000 Service Pack 4
= Microsoft Windows XP, Microsoft Windows XP Service Pack 1
=
= Public disclosure on July 14, 2004
========================================================================
When thinking about buffer overflow vulnerabilities, a file can
sometimes be as harmful as a packet. Even though past security issues
have taught us that it is unwise to use an unvalidated text string
containing a file name or directory, that is what happened here.
By creating a .job file with a large "to be executed" field the stack
can be overwritten allowing for remote command execution, when the file
is parsed by mstask.dll.
== Description ==
It appears that both explorer.exe and iexplore.exe will parse a .job
file when showing folder listings. Upon the parsing of the .job file,
the large "to be executed" field is passed to wcscpy without doing any
bounds checking.
Using explorer the viewing of a folder containing the .job is enough to
cause the buffer overflow to occur. The file can be hosted locally or on
a remote network share. A remote attack would require the end user to
visit the folder/share containing the exploit file.
Using Internet Explorer the viewing of a folder containing the .job file
through the use of an [iframe] object will cause the buffer overflow to
occur.
Viewing an HTML email that is based around the [iframe] attack avenue,
will also cause the buffer overflow. This will occur without any user
intervention if the preview pane is enabled, or with user intervention
by viewing the email.
It is possible that there are other avenues of attack to exploit this
vulnerability.
== Exploitation ==
Remote exploitation through Internet Explorer can be obtained through
the use of an iframe object pointing at an anonymous share.
Automatic exploitation of browser based bugs, does not rely on an
attacker sending a link, requiring the target user to click on it.
Links, references and other objects can easily be opened through script
code. And I am told that this can also be achieved without script code.
== Solutions ==
- Install the vendor supplied patch.
- Use browser protection products such as Qwik-Fix from PivX. They are
to
implement some protective measure against this very soon.
== Credit ==
Discovered and advised to Microsoft July 7th, 2003 by Brett Moore of
Security-Assessment.com
%-) Thor and the PivX guys, the #unconventional and the #conversational
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors
products.
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the intended
recipient, you are not authorised to use or copy this message or
attachment or disclose the contents to any other person. Views expressed
are not necessarily endorsed by Security-Assessment.com Limited. Please
note that this communication does not designate an information system
for the purposes of the New Zealand Electronic Transactions Act 2003.
######################################################################