TUCoPS :: Windows :: hack7845.htm

TUCoPS :: Windows :: hack7845.htm
Microsoft Windows Interactive Training Buffer Overflow vuln

iDEFENSE Security Advisory 06.14.05: Microsoft Windows Interactive Training Buffer Overflow Vulnerability Microsoft Windows Interactive Training Buffer Overflow Vulnerability iDEFENSE Security Advisory 06.14.05 www.idefense.com/application/poi/display?id=262&type=vulnerabilitie s June 14, 2005 I. BACKGROUND Microsoft Interactive Training is an application included with some OEM versions of Windows XP that allows users to receive multimedia training on a variety of software products. II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Microsoft Corp.'s orun32.exe application allows attackers to execute arbitrary code under the context of the logged-on user. The problem specifically exists when processing a malformed .cbo file. A typical .cbo file might have the following contents: [Microsoft Interactive Training] User=DEFAULT SerialID=00000000 If a malicious user crafts a file to contain a long string in the User field, the user-supplied value is copied to a fixed-size stack buffer. This allows an attacker to overwrite stack memory, such as the saved return address or a Structured Exception Handler (SEH) pointer, and gain control of execution flow. III. ANALYSIS Exploitation of this vulnerability allows remote attackers to execute arbitrary code under the privileges of the currently logged-on user. Exploitation requires that an attacker convince a target user to open a malicious .cbo file. It is a common default configuration in OEM versions of Windows XP to allow .cbo files to be opened without confirmation via Internet Explorer; this allows an attacker to use an IFRAME to force the .cbo file to be opened without interaction. Microsoft Windows Interactive Training is included only in OEM versions of Windows XP, thus minimizing the impact of this vulnerability. IV. DETECTION iDEFENSE has verified that Microsoft Interactive Training, version 3.5.0.116 on Windows XP, is vulnerable. All other versions are suspected as vulnerable. Interactive Training is included by default in OEM versions of Windows XP. To determine whether a given system is vulnerable, check for the presence of the following registry key: HKEY_CLASSES_ROOT\MITrain.Document\shell\open\command If this key exists and contains a value, then the system has Interactive Training installed, and it will process .cbo files. V. WORKAROUND Do not accept or open .cbo files from untrusted sources. Consider filtering .cbo attachments at e-mail gateways. To prevent .cbo files from being used with Microsoft Interactive Training, remove the .cbo entry in HKEY_CLASSES_ROOT in the Windows Registry. To do this, save the following text into a file called "fix.reg" and open it to modify the registry: Windows Registry Editor Version 5.00 [-HKEY_CLASSES_ROOT\.cbo] This will have the effect of disassociating .cbo files from the Interactive Training application, which will limit functionality. However, the application can still be used as before by manually opening the executable and entering a username. VI. VENDOR RESPONSE The vendor security advisory and appropriate patches are available at: http://www.microsoft.com/technet/security/Bulletin/MS05-031.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2005-1212 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/23/2005 Initial vendor notification 02/23/2005 Initial vendor response 06/14/2005 Coordinated public disclosure IX. CREDIT iDEFENSE Labs is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.