what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mstask.txt

mstask.txt
Posted Jul 14, 2004
Authored by Brett Moore SA | Site security-assessment.com

A remote code execution vulnerability exists in the Task Scheduler (mstask.dll) because of an unchecked buffer. Affected Software: Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP, Microsoft Windows XP Service Pack 1.

tags | advisory, remote, code execution
systems | windows
advisories | CVE-2004-0212
SHA-256 | b178c0fb6e2cf5a365096e5e090fe21dc3fe55636e18842f57f2b7cdfc145164

mstask.txt

Change Mirror Download
========================================================================
= Unchecked buffer in mstask.dll
=
= MS Bulletin posted:
= http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx
=
= Affected Software:
= Microsoft Windows 2000 Service Pack 4
= Microsoft Windows XP, Microsoft Windows XP Service Pack 1
=
= Public disclosure on July 14, 2004
========================================================================

When thinking about buffer overflow vulnerabilities, a file can sometimes
be as harmful as a packet. Even though past security issues have taught
us that it is unwise to use an unvalidated text string containing a file
name or directory, that is what happened here.

By creating a .job file with a large "to be executed" field the stack can
be overwritten allowing for remote command execution, when the file is
parsed by mstask.dll.

== Description ==

It appears that both explorer.exe and iexplore.exe will parse a .job file
when showing folder listings. Upon the parsing of the .job file, the
large "to be executed" field is passed to wcscpy without doing any
bounds checking.

Using explorer the viewing of a folder containing the .job is enough to
cause the buffer overflow to occur. The file can be hosted locally or
on a remote network share. A remote attack would require the end user
to visit the folder/share containing the exploit file.

Using Internet Explorer the viewing of a folder containing the .job file
through the use of an [iframe] object will cause the buffer overflow
to occur.

Viewing an HTML email that is based around the [iframe] attack avenue,
will also cause the buffer overflow. This will occur without any user
intervention if the preview pane is enabled, or with user intervention
by viewing the email.

It is possible that there are other avenues of attack to exploit this
vulnerability.

== Exploitation ==

Remote exploitation through Internet Explorer can be obtained through the
use of an iframe object pointing at an anonymous share.

Automatic exploitation of browser based bugs, does not rely on an attacker
sending a link, requiring the target user to click on it. Links, references
and other objects can easily be opened through script code. And I am told
that this can also be achieved without script code.

== Solutions ==

- Install the vendor supplied patch.
- Use browser protection products such as Qwik-Fix from PivX. They are to
implement some protective measure against this very soon.

== Credit ==

Discovered and advised to Microsoft July 7th, 2003 by Brett Moore of
Security-Assessment.com

%-) Thor and the PivX guys, the #unconventional and the #conversational

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.


######################################################################
CONFIDENTIALITY NOTICE:

This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close