TUCoPS :: Windows :: bt531.txt

Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow 


----------------------------------------------------------------------
SNS Advisory No.65
Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow

Problem first discovered: Thu, 5 Dec 2002
Published: Thu, 03 Jul 2003
Reference: http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html
----------------------------------------------------------------------

Overview:
---------
  A buffer overflow vulnerability exists in the Windows 2000 API 
  ShellExecute() function.


Problem Description:
-------------------
  Windows API ShellExecute() is a function to run an application 
  associated with a specified file extension.

  The problem is triggered when the pointer to an unusually long string 
  is set to the 3rd argument of the Windows 2000 API Shell Execute() 
  API function.

  It has been confirmed that several applications containing web browser, 
  MUA and text editor are vulnerable to this problem.


Tested Version:
---------------
  SHELL32.DLL (Version 5.0.3502.6144)


Solution:
---------
  This problem can be rectified by installing Windows 2000 Service Pack 4.
  http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

  Microsoft is considering public presentation of the further information
  about this problem.


Discovered by:
--------------
  Yuu Arai y.arai@lac.co.jp
  Hisayuki Shinmachi


Acknowledgements:
-----------------
Thanks to:
  RimArts, Inc. Tomohiro Norimatsu
  Security Response Team of Microsoft Asia Limited


Disclaimer: 
-----------
The information contained in this advisory may be revised without prior 
notice and is provided as it is. Users shall take their own risk when 
taking any actions following reading this advisory. LAC Co., Ltd. shall 
take no responsibility for any problems, loss or damage caused by, or by 
the use of information provided here.

This advisory can be found at the following URL: 
http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html

------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC  http://www.lac.co.jp/security/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH