B
Brummelchen
Gast
- ----------------------------------------------------------------------
Title: Unchecked Buffer in File Decompression Functions Could
Lead to Code Execution (Q329048)
Date: 02 October 2002
Software: Microsoft Windows 98 with Plus! Pack, Windows Me,
or Windows XP
Impact: Two vulnerabilities, the most serious of which could
run code of attacker?s choice
Max Risk: Moderate
Bulletin: MS02-054
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-054.asp.
- ----------------------------------------------------------------------
Issue:
======
Zipped files (files having a .zip extension) provide a means to
store information in a way that uses less space on a hard disk. This
is accomplished by compressing the files that are put into in the
zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows
XP, the Compressed Folders feature allows zipped files to be treated
as folders. The Compressed Folders feature can be used to create,
add files to, and extract files from zipped files.
Two vulnerabilities exist in the Compressed Folders function:
- An unchecked buffer exists in the programs that handles the
decompressing of files from a zipped file. A security
vulnerability results because attempts to open a file with
a specially malformed filename contained in a zipped file could
possibly result in Windows Explorer failing, or in code of the
attacker?s choice being run.
- The decompression function could place a file in a directory
that was not the same as, or a child of, the target directory
specified by the user as where the decompressed zip files should
be placed. This could allow an attacker to put a file in a known
location on the users system, such as placing a program in a
startup directory
Mitigating Factors:
====================
- The vulnerabilities could not be exploited without user
intervention. The attacker would need to entice the user to
receive, store, and open the zipped file provided by the
attacker.
- The vulnerabilities could not be exploited remotely. An attacker
would need to lure a user into receiving the zipped file onto
the user?s machine. Best practices suggest users not accept
e-mail attachments from people who are not trusted, and not to
download files from untrusted Internet sites.
- On Windows 98 and Windows Me, the Compressed Folders feature is
not installed by default. Users who had not installed this
feature would not be vulnerable.
Risk Rating:
============
- Internet systems: Low
- Intranet systems: Low
- Client systems: Moderate
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-054.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Joe Testa of Rapid7, Inc. (http://www.rapid7.com/) for reporting
the Unchecked Buffer in Zipped File Handling vulnerability.
- zen-parse for reporting the Incorrect Target Path for Zipped
File Decompression vulnerability.
- ---------------------------------------------------------------------
Win XP Download englisch:
http://download.microsoft.com/download/whistler/Patch/Q329048/WXP/EN-US/Q329048_WXP_SP2_x86_ENU.exe
WinXP Download deutsch:
http://download.microsoft.com/download/whistler/Patch/Q329048/WXP/DE/Q329048_WXP_SP2_x86_DEU.exe
Win98 PlusPack Download deutsch:
http://download.microsoft.com/download/WIN98/UPDATE/25556/W98/DE/329048GER8.EXE
- ----------------------------------------------------------------------
Title: Cumulative Patch for SQL Server (Q316333)
Date: 02 October 2002
Software: Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000
Impact: Four vulnerabilities, the most serious of which could
enable an attacker to gain control over an affected
server.
Max Risk: Critical
Bulletin: MS02-056
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-056.asp.
- ----------------------------------------------------------------------
Issue:
======
This is a cumulative patch that includes the functionality of all
previously released patches for SQL Server 7.0, SQL Server 2000, and
Microsoft Data Engine (MSDE) 1.0, Microsoft Desktop Engine (MSDE)
2000. In addition, it eliminates four newly discovered vulner-
abilities.
* A buffer overrun in a section of code in SQL Server 2000
(and MSDE 2000) associated with user authentication. By
sending a specially malformed login request to an affected
server, an attacker could either cause the server to fail or
gain the ability to overwrite memory on the server, thereby
potentially running code on the server in the security context
of the SQL Server service. It would not be necessary for the
user to successfully authenticate to the server or to be able
to issue direct commands to it in order to exploit the
vulnerability.
* A buffer overrun vulnerability that occurs in one of the
Database Console Commands (DBCCs) that ship as part of SQL
Server 7.0 and 2000. In the most serious case, exploiting
this vulnerability would enable an attacker to run code in
the context of the SQL Server service, thereby giving the
attacker complete control over all databases on the server.
* A vulnerability associated with scheduled jobs in SQL Server
7.0 and 2000. SQL Server allows unprivileged users to create
scheduled jobs that will be executed by the SQL Server Agent.
By design, the SQL Server Agent should only perform job
steps that are appropriate for the requesting user's priv-
ileges. However, when a job step requests that an output file
be created, the SQL Server Agent does so using its own priv-
ileges rather than the job owners privileges. This creates a
situation in which an unprivileged user could submit a job
that would create a file containing valid operating system
commands in another user's Startup folder, or simply over-
write system files in order to disrupt system operation
The patch also changes the operation of SQL Server, to prevent
non-administrative users from running ad hoc queries against
non-SQL OLEDB data sources. Although the current operation does
not represent a security vulnerability, the new operation makes
it more difficult to misuse poorly coded data providers that might
be installed on the server.
Mitigating Factors:
====================
Unchecked buffer in SQL Server 2000 authentication function:
* This vulnerability on affects SQL Server 2000 and MSDE 2000.
Neither SQL Server 7.0 nor MSDE 1.0 are affected.
* If the SQL Server port (port 1433) were blocked at the firewall,
the vulnerability could not be exploited from the Internet.
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
Unchecked buffer in Database Console Commands:
* Exploiting this vulnerability would allow the attacker to
escalate privileges to the level of the SQL Server service
account. By default, the service runs with the privileges of a
domain user, rather than with system privileges.
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server or has permissions
to execute queries directly to the server
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL Server.
Flaw in output file handling for scheduled jobs:
* The vulnerability could only be exploited by an attacker who
could authenticate to an affected SQL server.
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-056.asp
for information on obtaining this patch.
Acknowledgment:
===================
* Issue regarding ad hoc queries against non-SQL OLEDB data
sources:
sk@scan-associates.net and pokleyzz@scan-associates.net
* Unchecked buffer in Database Console Commands:
Martin Rakhmanoff (jimmers@yandex.ru)
- ---------------------------------------------------------------------
Download nicht weiter verfolgt.
- ----------------------------------------------------------------------
Title: Unchecked Buffer in Windows Help Facility Could
Enable Code Execution (Q323255)
Date: 02 October 2002
Software: Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millennium Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Impact: Attacker could gain control over user's system
Max Risk: Critical
Bulletin: MS02-055
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-055.asp.
- ----------------------------------------------------------------------
Issue:
======
The HTML Help facility in Windows includes an ActiveX control that
provides much of its functionality. One of the functions exposed via
the control contains an unchecked buffer, which could be exploited by
a web page hosted on an attacker's site or sent to a user as an HTML
mail. An attacker who successfully exploited the vulnerability would
be able to run code in the security context of the user, thereby
gaining the same privileges as the user on the system.
A second vulnerability exists because of flaws associated with the
handling of compiled HTML Help (.chm) files that contain shortcuts.
Because shortcuts allow HTML Help files to take any desired action on
the system, only trusted HTML Help files should be allowed to use
them. Two flaws allow this restriction to be bypassed. First, the
HTML Help facility incorrectly determines the Security Zone in the
case where a web page or HTML mail delivers a .chm file to the
Temporary Internet Files folder and subsequently opens it. Instead of
handling the .chm file in the correct zone - the one associated with
the web page or HTML mail that delivered it - the HTML Help facility
incorrectly handles it in the Local Computer Zone, thereby
considering it trusted and allowing it to use shortcuts. This error
is compounded by the fact that the HTML Help facility doesn't
consider what folder the content resides in. Were it to do so, it
could recover from the first flaw, as content within the Temporary
Internet Folder is clearly not trusted, regardless of the Security
Zone it renders in.
The attack scenario for this vulnerability would be complex, and
involves using an HTML mail to deliver a .chm file that contains a
shortcut, then making use of the flaws to open it and allow the
shortcut to execute. The shortcut would be able to perform any action
the user had privileges to perform on the system.
Before deploying the patch, customers should familiarize themselves
with the caveats discussed in the FAQ and in the Caveats section
below.
Mitigating Factors:
====================
Buffer Overrun in HTML Help ActiveX Control:
- The HTML mail-based attack vector could not be exploited on
systems where Outlook 98 or Outlook 2000 were used in conjunction
with the Outlook Email Security Update, or Outlook Express 6 or
Outlook 2002 were used in their default configurations.
- The vulnerability would convey only the user's privileges on
the system. Users whose accounts are configured to have few
privileges on the system would be at less risk than ones who
operate with administrative privileges.
Code Execution via Compiled HTML Help File:
- The vulnerability could only be exploited if the attacker
were able to determine the exact location of the Temporary
Internet Files folder. By design, this should not be possible, and
Microsoft is unaware of any means for doing so which has not
already been patched.
- The vulnerability would convey only the user's privileges on
the system. Users whose accounts are configured to have few
privileges on the system would be at less risk than ones who
operate with administrative privileges.
Risk Rating:
============
- Internet systems: Moderate
- Intranet systems: Moderate
- Client systems: Critical
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-055.asp
for information on obtaining this patch.
Acknowledgment:
===============
- David Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/)and Thor Larholm, Security Researcher,
PivX Solutions, LLC (http://www.pivx.com) for reporting the
Buffer Overrun in HTML Help ActiveX Control.
- ---------------------------------------------------------------------
Win98 Download deutsch:
http://download.microsoft.com/download/win98/Patch/24354/W98/DE/323255GER8.EXE
Win2k DL deutsch:
http://download.microsoft.com/downl...tch/Q323255/NT5/DE/Q323255_W2K_SP4_X86_DE.exe
WinXP DL deutsch:
http://download.microsoft.com/download/whistler/Patch/Q323255/WXP/DE/Q323255_WXP_SP2_x86_DEU.exe
WinXP DL englisch:
http://download.microsoft.com/download/whistler/Patch/Q323255/WXP/EN-US/Q323255_WXP_SP2_x86_ENU.exe
Zuletzt bearbeitet: