Full Disclosure mailing list archives
Flaws in the new security functions of SP2 - revisited
From: Juergen Schmidt <ju () heisec de>
Date: Fri, 3 Sep 2004 12:12:33 +0200 (CEST)
A couple of days I posted an advisory about flaws in a new security functions of Service Pack 2 (for details, see: http://www.heise.de/security/artikel/50051). Now I would like to share some additional information which has been found out in conjunction with Sven Ritter, a German developer. 1) The Windows Explorer caching issue We gave a second look at the issue reported previously that Windows Explorer under certain conditions launches files using outdated Zone ID information from a system cache. Further inspection reveals that this does not only affect Explorer but any software which launches applications or scripts using the ShellExecuteEx function supplied by Windows. The Internet Security Manager is in charge of determining the zone of a file (CLSID_InternetSecurityManager). This object contains a cache (CSecurityManager::CSecMgrCache) which stores zones which have been determined previously. When the function is called again, the method CSecurityManager::MapUrlToZoneInternal will first check whether there is a cached request for the corresponding file or URL. If there is cached information, the method will return the previously determined zone -- even if the file's Zone ID has changed in the meantime. Since the Internet Security Manager is loaded as a COM object into the current process, the cache is local to that process. This explains why the problem can be "alleviated" by restarting Windows Explorer. It appears that the cache size is limited to four entries. If four files with different names are launched after the start of application XY, the function will recognize the changed Zone ID of application XY. 2) Other Execution Paths The previous advisory showed how cmd.exe completely ignores Zone IDs. Further tests revealed other execution paths which circumvent checks contained in SP2. Refresher: When downloading files through Internet Explorer and Windows Messenger or saving attachments transferred Outlook Express, the file is given a Zone ID saved in an Alternative Data Stream. When a downloaded application or script is launched, Windows displays a security warning which alerts the user to the fact that this file has been downloaded from the Internet and that it could be dangerous. If you extract files from a ZIP archive which has been downloaded from the Internet using XP's built-in ZIP Wizard (using File/Extract all), SP2 sets the Zone ID for the extracted files. However, if the ZIP archive is opened with a double-click and an executable file is extracted by Drag & Drop to the desktop or using Copy & Paste, no Zone ID is set. Additionally Zone IDs are not set on files marked as Read-only -- even when using the Wizard. If the downloaded archive evil.zip contains evil1.exe (attrib -R) and evil2.exe (attrib +R) and you extract them with the Wizard into the folder evil, opening evil1 gives you a warning, opening evil2 not. bye, ju -- Juergen Schmidt Chefredakteur heise Security www.heisec.de Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju () heisec de _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Flaws in the new security functions of SP2 - revisited Juergen Schmidt (Sep 03)