ADVISORY: Windows Shell Overflow

["Marc Maiffret" <marc () eeye com>]

Windows Shell Overflow

Release Date:
March 8, 2002

Severity:
Medium

Systems Affected:
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Server Edition
Microsoft Windows 2000

Description:
There exists a buffer overflow vulnerability within the Windows Shell that
can lead to execution of malicious code. The  vulnerability exists in how
the Windows Shell manipulates URL handlers that point to programs that do
not exist.

The Windows Shell exposes functionality to allow developers to write their
own custom URL handlers. For example programs such  as, ICQ, AIM, MS
Conference, mIRC, Windows Media Player, Outlook/Express, etc... install
their own custom URL handlers so  that functionality can be passed from a
URL to a program.

So for example we could write a custom URL handler called "eeye" and then
anytime someone performed a request for eeye://data  the data would be
passed to whatever program was written to handle the eeye URL.

Now the problem arises when a URL handler has been mapped, in the system
registry, to a program that does not exist.

For example AOL Instant Messenger installs a URL handler to
HKEY_CLASSES_ROOT\aim. The reason we know AIM is a URL handler is  because
of the existence of the key "URL Protocol" tells the windows shell that Aim
is a URL handler.

By enumerating the registry for "URL Protocol" keys we can determine all of
the installed URL handlers.

Next we identify a URL handler that is installed yet mapped to a
non-existent program.

The mapping to the URL handler is in the form of:
HKEY_CLASSES_ROOT\urlhandler\shell\open\command and whatever executable is
pointed to by (Default) is the executable to  handle that specific URL.

As stated the vulnerability is within the Windows Shell code that handles
URL's that point to a non-existent URL handler.

So if the AIM handler (HKEY_CLASSES_ROOT\aim\shell\open\command) was
pointing to a file that did not exist then that URL  handler could be
exploited via a buffer overflow in the data passed to the URL handler.

For example: aim://overflow
Where overflow is 324 or so bytes. At this point we take control of EIP and
can control the flow of execution within the  program. Which means we can
make our victim execute any code we wish.

It is very important to clarify there is no problem within AIM or the URL
handler program itself. The problem lies within  vulnerable code within the
Microsoft Windows Shell.

Reasons for certain URL handlers becoming exploitable could be, a program is
uninstalled and the uninstaller does not cleanly  remove the mapping in the
registry, or a user deletes the program folder which leaves the URL mapping
to a invalid file.

On a default installation of Windows the buffer overflow does exist although
exploiting it is impossible (as far as we know) because there are no default
URL handlers pointing to a file that doesn't exist. However, over time after
programs are installed and removed a system will become vulnerable.

This vulnerability is a local vulnerability although because of the
integrated nature of windows it is possible to exploit  this vulnerability
remotely using any program that supports URL. For example we could email
this attack URL within an  Outlook email or we could put this attack URL
within an "evil web page" and then get users to visit the web page. There
are  many different ways to remotely make a system process these "evil
URL's" in order to gain control.

When you exploit this vulnerability, locally or remotely, your code will
execute with the permissions of that of the user being attacked. So if the
user executing this evil URL is Administrator then your attack code will
execute as Administrator.

There are a few variables to a system being vulnerable to this buffer
overflow however we still encourage users to install the Microsoft patch as
soon as possible.

Vendor Status:
Microsoft has released a patch and security bulletin which is located at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-014.asp

CVE ID: CAN-2002-0070
This is a candidate for inclusion in the CVE list http://cve.mitre.org which
standardizes names for security problems.

Credit:
Marc Maiffret

Related Links:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS02-014.asp

Greetings:
Mr. Self Destruct and his Lollipop

Copyright (c) 1998-2002 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without  express consent
of eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic  medium, please e-mail alert () eEye com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS  IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages  whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info () eEye com