BugTraq
Windows NT Message Compiler 1.00.5239 arbitrary code execution Jan 02 2007 07:06PM
sapheal hack pl (1 replies)
Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution Jan 03 2007 12:52PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Dear sapheal (at) hack (dot) pl [email concealed] and all,

In order to call some bug "critical security vulnerability", you must
show critical security impact from this vulnerability.

For local vulnerability security impact is usually privilege
escalation. That is, local unprivileged user should be able to obtain
privileges of another user or system account by exploiting this bug.

Under Unix, local vulnerabilities are usually because of the bugs in
some suid application. Under Windows there is no suid applications. To
escalate privileges you must exploit vulnerability in some system
component or service. mc.exe is not service and is not system
component.

I can't say there is no security impact from this bug at all. As an
example, you can execute malware code in context of signed application
and bypass some policy. But it's definitely not "critical security
vulnerability".

Sorry for this short lecture.

--Tuesday, January 2, 2007, 10:06:30 PM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:

shp> Synopsis: Windows NT Message Compiler 1.00.5239 arbitrary code execution
shp> Product: Microsoft Windows XP

shp> Issue:
shp> ======

shp> A critical security vulnerability has been found in Windows NT Message Compiler.
shp> Arbitrary code execution might be possible (local exploitation possible only).

shp> Details:
shp> ========
shp> MC (Windows NT Message Compiler) when provided a MC-filename longer than
shp> requested crashed due to memory corruption. Memory corruption conditions
shp> might allow the attacker to escalate privilleges.

shp> When overwriting the buffer with "A" (0x41):

shp> Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005:
shp> Access violation reading location 0x41414141.
shp> First-chance exception at 0x01003468 in MC.EXE: 0xC0000005:
shp> Access violation reading location 0x41414141.

shp> Affected Versions
shp> =================
shp> Microsoft (R) Message Compiler Version 1.00.5239

shp> Solution
shp> =========

shp> Proper bounds-checking.

shp> Kind regards,

shp> Michal Bucko (sapheal)
shp> hack.pl

--
~/ZARAZA
http://www.security.nnov.ru/

[ reply ]
Re: Windows NT Message Compiler 1.00.5239 arbitrary code execution Jan 03 2007 06:06PM
chinese soup (noodle mastah gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus