[NT] Vulnerabilities in Windows Shell Allows Remote Code Execution (MS05-049)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Vulnerabilities in Windows Shell Allows Remote Code Execution (MS05-049)
------------------------------------------------------------------------


SUMMARY

Several vulnerabilities in Windows' Shell allows remote attackers to cause 
an unsuspecting user to execute arbitrary code.

DETAILS

Affected Software:
 * Microsoft Windows 2000 Service Pack 4 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1F063C4A-B0BF-49C6-928B-F1F076C69612>
 Download the update
 * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service 
Pack 2 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=F7241DEB-9E2D-401A-9D71-10ACAB4450AF>
 Download the update
 * Microsoft Windows XP Professional x64 Edition -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=594AD01B-F333-4C56-9C12-D1A8B82F2A6E>
 Download the update
 * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service 
Pack 1 -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=1A4FCFDE-E549-4078-A180-076A23CB8BB7>
 Download the update
 * Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft 
Windows Server 2003 with SP1 for Itanium-based Systems -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=3BA63AF8-3D36-4F3C-BFEE-11B62572AF73>
 Download the update
 * Microsoft Windows Server 2003 x64 Edition -  
<http://www.microsoft.com/downloads/details.aspx?FamilyId=994B14B4-EE98-4B61-BDBE-CA5C20094855>
 Download the update

Non-Affected Software:
 * Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and 
Microsoft Windows Millennium Edition (ME)

Shell Vulnerability - CAN-2005-2122:
A remote code execution vulnerability exists in Windows because of the way 
that it handles the .lnk file name extension. By persuading a user to open 
an .lnk file that has specially-crafted properties an attacker could 
execute code on an affected system.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2122> 
CAN-2005-2122

Mitigating Factors for Shell Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web 
site that contains a Web page that is used to exploit this vulnerability. 
An attacker would have no way to force users to visit a malicious Web 
site. Instead, an attacker would have to persuade them to visit the Web 
site, typically by getting them to click a link that takes them to the 
attacker's Web site. After they click the link, they would be prompted to 
perform an action. An attack could only occur after they performed this 
actions.

 * The vulnerability could not be exploited automatically through e-mail. 
For an attack to be successful a user must open an attachment that is sent 
in an e-mail message.

 * To exploit this vulnerability locally the attacker must have valid 
logon credentials and be able to log on. The vulnerability could not be 
exploited remotely or by anonymous users.

FAQ for Shell Vulnerability:
What is the scope of the vulnerability?
A remote code execution vulnerability exists in Windows because of the way 
that it handles files with the .lnk file name extension. An attacker could 
exploit the vulnerability by persuading a user to open an .lnk file that 
has specially-crafted properties. An attacker who successfully exploited 
this vulnerability could execute code on the affected system. However, 
user interaction is required to exploit this vulnerability.

What causes the vulnerability?
The way that Windows handles certain properties that are associated with 
lnk files.

What are .lnk files?
An .lnk file is a file that is used to point to another file, such as a 
program. These files are often known as shortcut files and can contain 
properties that are passed to the target program.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted .lnk file to a 
user, and then persuade that user to open the .lnk file, could try to 
exploit this vulnerability.

How could an attacker exploit the vulnerability?
To exploit this vulnerability locally, an attacker must be able to log on 
to the specific system that is targeted for attack or persuade a user to 
open a specially-crafted .lnk file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be 
at more risk if users who have administrative permissions log on to 
servers and open specially-crafted .lnk files.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is 
targeted for attack or persuade a user to open a specially-crafted .lnk 
file.

What does the update do?
The update removes the vulnerability by modifying the way that Windows 
processes files that use the .lnk file name extension.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information to 
indicate that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.

Shell Vulnerability - CAN-2005-2118:
A remote code execution vulnerability exists in Windows because of the way 
that it handles files with the .lnk file name extension. By persuading a 
user to view the properties of a specially-crafted .lnk file, an attacker 
could execute code on the affected system.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2118> 
CAN-2005-2118

Mitigating Factors for Shell Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web 
site that contains a Web page that is used to exploit this vulnerability. 
An attacker would have no way to force users to visit a malicious Web 
site. Instead, an attacker would have to persuade them to visit the Web 
site, typically by getting them to click a link that takes them to the 
attacker's Web site. After they click the link, they would be prompted to 
perform an action. An attack could only occur after they performed this 
action.

 * The vulnerability could not be exploited automatically through e-mail. 
For an attack to be successful, a user must open an attachment that is 
sent in an e-mail message.

 * To exploit this vulnerability locally, the attacker must have valid 
logon credentials and be able to log on. The vulnerability could not be 
exploited remotely or by anonymous users.

FAQ for Shell Vulnerability:
What is the scope of the vulnerability?
A remote code execution vulnerability exists in Windows because of the way 
that it handles files with the .lnk file name extension. An attacker could 
exploit the vulnerability by persuading a user to view the properties of 
an .lnk file that contains specially-crafted properties. An attacker who 
successfully exploited this vulnerability could execute code on the 
affected system. However, user interaction is required to exploit this 
vulnerability.

What causes the vulnerability?
This vulnerability is attributed to the way Windows handles certain 
properties that are associated with .lnk files.

What are .lnk files?
An .lnk file is a file that is used to point to another file, such as a 
program. These files are often known as shortcut files and can contain 
properties that are passed to the target program.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of the affected system.

Who could exploit the vulnerability?
Any anonymous user who could deliver a specially-crafted .lnk file to a 
user, and then persuade that user to open the .lnk file, could try to 
exploit this vulnerability.

How could an attacker exploit the vulnerability?
To locally this vulnerability locally, an attacker must be able to log on 
to the specific system that is targeted for attack or persuade a user to 
right click and view the properties of a specially-crafted .lnk file.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be 
at more risk if users who do not have sufficient administrative 
permissions are given the ability to log on to servers and open 
specially-crafted .lnk files. However, best practices strongly discourage 
allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is 
targeted for attack or persuade a user to open on a specially-crafted .lnk 
file.

What does the update do?
The update removes the vulnerability by modifying the way that Windows 
handles malformed .lnk file properties before passing them to allocated 
buffers.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information to 
indicate that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.

Web View Script Injection Vulnerability:
A remote code execution vulnerability exists in the way that Web View in 
Windows Explorer handles certain HTML characters in preview fields. By 
persuading a user to preview a malicious file, an attacker could execute 
code. However, user interaction is required to exploit this vulnerability.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2117> 
CAN-2005-2117


Mitigating Factors for Web View Script Injection Vulnerability:
 * In a Web-based attack scenario, an attacker would have to host a Web 
site that contains a Web page that is used to exploit this vulnerability. 
An attacker would have no way to force users to visit a malicious Web 
site. Instead, an attacker would have to persuade them to visit the Web 
site, typically by getting them to click a link that takes them to the 
attacker's Web site. After they click the link, they would be prompted to 
perform an action. An attack could only occur after they performed these 
actions.

 * An attacker who successfully exploited this vulnerability could gain 
the same user rights as the local user. Users whose accounts are 
configured to have fewer user rights on the system could be less impacted 
than users who operate with administrative user rights.

 * The vulnerability could not be exploited automatically through e-mail. 
For an attack to be successful through e-mail a user must save an 
attachment locally and then preview it in Windows Explorer.

Workarounds for Web View Script Injection Vulnerability:
Microsoft has tested the following workarounds. While these workarounds 
will not correct the underlying vulnerability, they help block known 
attack vectors. When a workaround reduces functionality, it is identified 
in the following section.

 * Disable Web View:
Disabling Web View will reduce the ability to maliciously use this feature 
to perform an attack. To disable Web View, follow these steps:

1. Click Start, and then click My Computer.
2. Click Tools menu, and then click Folder Options.
3. On the General tab, under Tasks, click Use Windows classic folders, and 
then click OK.

These settings take affect only after you log off the system and then log 
back on again.

Impact of Workaround: This change will reduce the functionality of Windows 
Explorer by removing the left hand task pane which contains links to 
common folders and tasks.

 * Use the Group Policy settings to disable Web View on all affected 
systems that do not require this feature:
Disabling Web View will reduce the ability to maliciously use this feature 
to perform an attack.

For more information about Group Policy, visit the following Web sites:
 * Step-by-Step Guide to Understanding the Group Policy Feature Set
 * Windows 2000 Group Policy

Impact of Workaround: This change will reduce the functionality of Windows 
Explorer by removing the task pane, which contains links to common folders 
and tasks.

 * Block TCP ports 139 and 445 at the perimeter firewall:

These ports are used to initiate a connection by using the Server Message 
Block (SMB) protocol. Blocking outbound SMB traffic at the perimeter 
firewall will help prevent systems from trying to connect to a malicious 
file server outside the firewall. For more information about the ports, 
visit the following Web site.

Impact of Workaround: Computers that are behind the firewall will be 
unable to access trusted file servers by using the Server Message Block 
(SMB) protocol outside the network.


FAQ for Web View Script Injection Vulnerability:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. By persuading a user to 
preview a malicious file, an attacker could execute code. If a user is 
logged on with administrative user rights, an attacker who successfully 
exploited this vulnerability could take complete control of an affected 
system. An attacker could then install programs; view, change, or delete 
data; or create new accounts with full user rights. Users whose accounts 
are configured to have fewer user rights on the system could be less 
impacted than users who operate with administrative user rights. However, 
user interaction is required to exploit this vulnerability.

What causes the vulnerability?
The process that Windows Explorer uses to validate HTML characters in 
certain document fields when in Web View.

What is Web View?
Web View is one of two formats that Windows Explorer provides to view file 
and folder information. This feature allows a user to preview a file or 
folder in a thumbnail view before they open it. Web View also displays 
information about that file or folder, such as the title and the author.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take 
complete control of the affected system.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a malicious 
file and placing it in a local or remote location. The attacker would then 
have to persuade a user to connect to the folder in Windows Explorer and 
preview the document. The document could then cause the affected system to 
execute code.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be 
at more risk if users who do not have sufficient administrative 
permissions are given the ability to log on to servers and to run 
programs.

What does the update do?
The update addresses the vulnerability by modifying the way that Windows 
Explorer validates HTML characters in certain file fields.

When this security bulletin was issued, had this vulnerability been 
publicly disclosed?
No. Microsoft received information about this vulnerability through 
responsible disclosure. Microsoft had not received any information to 
indicate that this vulnerability had been publicly disclosed when this 
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports 
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this 
vulnerability had been publicly used to attack customers and had not seen 
any examples of proof of concept code published when this security 
bulletin was originally issued.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:  
<http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx> 
http://www.microsoft.com/technet/security/bulletin/ms05-049.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.