Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution

To: sapheal@xxxxxxx
Subject: Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Wed, 3 Jan 2007 15:52:07 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <836545866459aad368f1251.61892808.Active.mail@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <836545866459aad368f1251.61892808.Active.mail@xxxxxxxxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear sapheal@xxxxxxx and all,

 In  order  to call some bug "critical security vulnerability", you must
 show critical security impact from this vulnerability.

 For   local   vulnerability   security   impact  is  usually  privilege
 escalation.  That  is, local unprivileged user should be able to obtain
 privileges of another user or system account by exploiting this bug.

 Under  Unix,  local  vulnerabilities are usually because of the bugs in
 some  suid application. Under Windows there is no suid applications. To
 escalate  privileges  you  must  exploit  vulnerability  in some system
 component  or  service.  mc.exe  is  not  service  and  is  not  system
 component.

 I  can't  say  there  is no security impact from this bug at all. As an
 example,  you can execute malware code in context of signed application
 and  bypass  some  policy.  But  it's definitely not "critical security
 vulnerability".

 Sorry for this short lecture.


--Tuesday, January 2, 2007, 10:06:30 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

shp> Synopsis: Windows NT Message Compiler 1.00.5239 arbitrary code execution
shp> Product:   Microsoft Windows XP



shp> Issue:
shp> ======

shp> A critical security vulnerability has been found in Windows NT Message 
Compiler.
shp> Arbitrary code execution might be possible (local exploitation possible 
only).


shp> Details:
shp> ========
shp> MC (Windows NT Message Compiler) when provided a MC-filename longer than
shp> requested crashed due to memory corruption. Memory corruption conditions
shp> might allow the attacker to escalate privilleges.

shp> When overwriting the buffer with "A" (0x41):

shp> Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005:
shp> Access violation reading location 0x41414141.
shp> First-chance exception at 0x01003468 in MC.EXE: 0xC0000005:
shp> Access violation reading location 0x41414141.


shp> Affected Versions
shp> =================
shp> Microsoft (R) Message Compiler Version 1.00.5239


shp> Solution
shp> =========

shp> Proper bounds-checking.


shp> Kind regards,

shp> Michal Bucko (sapheal)
shp> hack.pl







-- 
~/ZARAZA
http://www.security.nnov.ru/

Follow-Ups:
- Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution
  - From: chinese soup

References:
- Windows NT Message Compiler 1.00.5239 arbitrary code execution
  - From: sapheal

Prev by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Next by Date: Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous
Previous by thread: Windows NT Message Compiler 1.00.5239 arbitrary code execution
Next by thread: Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution
Index(es):
- Date
- Thread