what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 02-08-28.1

Atstake Security Advisory 02-08-28.1
Posted Aug 29, 2002
Authored by Atstake, Ollie Whitehouse | Site atstake.com

Atstake Security Advisory A082802-1 - The Microsoft Terminal Server ActiveX client contains a buffer overflow in one of the parameters used by the ActiveX component when it is embedded in a web page which an attacker can exploit to run malicious code on a target system. The user would need to open a malicious HTML file as an attachment to an email message, as a file on the local or network file system, or as a link on a malicious web site.

tags | web, overflow, local, activex
SHA-256 | 56359c9b96a1991a0e4e4ca0c9bcd9337adab1526626b1bdc5b1cae7f982e8e1

Atstake Security Advisory 02-08-28.1

Change Mirror Download
                              @stake Inc.
www.atstake.com

Security Advisory

Advisory Name: Microsoft Terminal Server Client Buffer Overrun
Release Date: 08/28/2002
Application: Microsoft Terminal Server ActiveX Client v5.02221.1
Platform: Windows 95/98/NT 4.0/2000/XP
Severity: There is a buffer overflow condition that can result
in execution of arbitrary code.
Author: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Vendor has bulletin and patch
CVE Candidate: CAN-2002-0726
Reference: www.atstake.com/research/advisories/2002/a082802-1.txt


Overview:

Microsoft Terminal Server ActiveX client (http://www.microsoft.com
/windows2000/downloads/recommended/default.asp) is the ActiveX version
of the standard Windows Terminal Services client. It allows a client
to connect to a Terminal Server from a web page. This allows a web
developer to integrate a Win32-based application into a web page.

There is a buffer overrun vulnerability in one of the parameters used
by the ActiveX component when it is embedded in a web page. An attacker
could exploit this vulnerability to run malicious code on a target
system. The user would need to open a malicious HTML file as
an attachment to an email message, as a file on the local or network
file system, or as a link on a malicious web site. If the malicious
HTML file is opened it will cause the Active X component to execute
the arbitrary computer code contained within the HTML page with the
permissions of the attacker.

Since the Microsoft Terminal Server ActiveX client is signed by
Microsoft and marked safe there is no warning with the default Internet
Explorer security settings if you have previously selected to trust
all controls signed by Microsoft. This is a good example of why not to
trust any ActiveX components from an unknown source. A malicious site
could use an old vulnerable version of the ActiveX control even after
the patched ActiveX component is available from Microsoft. If users
install the latest vendor cumulative patch for Internet Explorer
this problem is eliminated.

Details:

By default, the Terminal Server ActiveX client will install itself in a
directory such as 'http://site/tsweb/'. The buffer overrun condition
occurs when a large string is used for the server name field. We were
able to cause an exception to occur with a long string made up of the
letter 'A'. The result was the over writing of EIP with 0x41414141.
ESI will point the buffer of supplied data.

The ID of the component tested was: 1FB464C8-09BB-4017-A2F5-EB742F04392F


Vendor Response:

Vendor has bulletin and patch for Terminal Server.
http://www.microsoft.com/technet/security/bulletin/ms02-046.asp

Vendor has bulletin and patch for Internet Explorer
http://www.microsoft.com/technet/security/bulletin/MS02-047.asp


Recommendation:

You should never open attachments/webpages that come from
unknown sources no matter how benign they may appear. Be wary of those
that come from known sources.

You should consider the benefits and risks of each attachment file
type or ActiveX control that you let into your organization. Attachment
file types or ActiveX controls that you do not need should be dropped at
your perimeter mail gateway or proxy server. Attachments that you choose
to forward on into your organization should be scanned for known
malicious code using a antivirus product.

End users should install the latest Internet Explorer cumulative patch
which sets the Kill Bit on the vulnerable version of the ActiveX
component so it will not execute.

Terminal Server administrators should install the vendor patch to
update the ActiveX component they have available for download. Until
this patch is installed users who have installed the Internet
Explorer cumulative patch will not be able to access the Terminal
Server via the ActiveX component.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2002-0726 Terminal Server ActiveX Client Buffer Overrun


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close