[Seguridad] Sysinternals Process Explorer desbordamiento de buffer...

Sysinternals Process Explorer Buffer Overflow in Processing
CompanyName Values Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/aler...14742.html


SecurityTracker Alert ID: 1014742
SecurityTracker URL: http://securitytracker.com/id?1014742
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 19 2005
Impact: Execution of arbitrary code via network, User access via
network
Exploit Included: Yes
Version(s): 9.23.0.0


Description: ATmaCA reported a vulnerability in Process Explorer. A
remote user can cause arbitrary code to be executed by the target
user.

The software contains a buffer overflow in the parsing of the
CompanyName VersionInfo data of a running process. A remote user can
create an executable file with a specially crafted, long CompanyName
value. When the target user views the properties of the executable
while the executable is running, arbitrary code may execute. The code
will run with the privileges of the user running Process Explorer.

The vendor was notified on July 20, 2005.

A demonstration exploit file is available at:

http://www.atmacasoft.com/procexp_exp.exe

Impact: A remote user can create an executable that, when examined by
the target user with Process Explorer, will execute arbitrary code on
the target user's system. The code will run with the privileges of the
target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.sysinternals.com/Utilities/ProcessExplorer.html
(Links to External Site)

Cause: Boundary error
Underlying OS: Windows (Any)
Reported By: <atmaca@icqmail.com>
Message History: None.



Source Message Contents
Date: Fri, 19 Aug 2005 10:52:14 -0700
From: <atmaca@icqmail.com>
Subject: SysInternals Process Explorer VersionInfo Buffer Overflow
Vulnerability


==Application: Process Explorer
http://www.sysinternals.com/Utiliti...lorer.html
Versions: 9.23.0.0
Platforms: Windows
Bug: buffer-overflow
Exploitation: local
Date: Jul 20 2004
Author: ATmaCA
e-mail: atmaca@icqmail.com
web: http://www.atmacasoft.com
Credit: Kozan
==

I. BACKGROUND

Ever wondered which program has a particular file or directory open?
Now you can find out.

Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in Process
Explorer allows attackers to execute arbitrary code.

The problem specifically exists when parsing VersionInfo resource of
running executable files that contain long CompanyName entries.

An example malicious .exe file with a long CompanyName name in version
resource:

1 VERSIONINFO
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
BLOCK "040904E4"
{
VALUE "CompanyName", "AAAAAAAA...[A x 2302 bytes is where the EIP
starts]1234"
}
}
}

'[A x 2302]' represents any string of 2302 bytes in
length. Viewing properties of running malicious executable on the
Microsoft Windowsplatform will cause Process Explorer to crash with an
access violation when attempting to execute instruction 0x34333231,
which is the little-endian ASCII code representation of '1234'. An
attacker can exploit this vulnerability to redirect the flow of
control and eventually execute arbitrary code. This example is
specific to the Microsoft Windows platform.

III. ANALYSIS

Exploitation of the described vulnerability allows attackers to
execute arbitrary code under the context of the user who started
Process Explorer.

Exploitation requires that an attacker convince a target user to view
properties of malicious executable file with a vulnerable version of
Process Explorer.

IV. DETECTION :

Process Explorer 9.23.0.0 as installed on the Microsoft Windows
platform is affected. Earlier versions may also be susceptible.

V. DISCLOSURE TIMELINE

07/20/2005 Initial vendor notification
07/29/2005 Initial vendor response
08/19/2005 Public disclosure

VI. POC

http://www.atmacasoft.com/procexp_exp.exe
_________________________________________
Usenet Zone Free Binaries Usenet Server
More than 140,000 groups
Unlimited download
http://www.usenetzone.com to open account