Windows Shell Overflow Release Date: March 8, 2002 Severity: Medium Systems Affected: Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Server Edition Microsoft Windows 2000 Description: There exists a buffer overflow vulnerability within the Windows Shell that can lead to execution of malicious code. The vulnerability exists in how the Windows Shell manipulates URL handlers that point to programs that do not exist. The Windows Shell exposes functionality to allow developers to write their own custom URL handlers. For example programs such as, ICQ, AIM, MS Conference, mIRC, Windows Media Player, Outlook/Express, etc... install their own custom URL handlers so that functionality can be passed from a URL to a program. So for example we could write a custom URL handler called "eeye" and then anytime someone performed a request for eeye://data the data would be passed to whatever program was written to handle the eeye URL. Now the problem arises when a URL handler has been mapped, in the system registry, to a program that does not exist. For example AOL Instant Messenger installs a URL handler to HKEY_CLASSES_ROOT\aim. The reason we know AIM is a URL handler is because of the existence of the key "URL Protocol" tells the windows shell that Aim is a URL handler. By enumerating the registry for "URL Protocol" keys we can determine all of the installed URL handlers. Next we identify a URL handler that is installed yet mapped to a non-existent program. The mapping to the URL handler is in the form of: HKEY_CLASSES_ROOT\urlhandler\shell\open\command and whatever executable is pointed to by (Default) is the executable to handle that specific URL. As stated the vulnerability is within the Windows Shell code that handles URL's that point to a non-existent URL handler. So if the AIM handler (HKEY_CLASSES_ROOT\aim\shell\open\command) was pointing to a file that did not exist then that URL handler could be exploited via a buffer overflow in the data passed to the URL handler. For example: aim://overflow Where overflow is 324 or so bytes. At this point we take control of EIP and can control the flow of execution within the program. Which means we can make our victim execute any code we wish. It is very important to clarify there is no problem within AIM or the URL handler program itself. The problem lies within vulnerable code within the Microsoft Windows Shell. Reasons for certain URL handlers becoming exploitable could be, a program is uninstalled and the uninstaller does not cleanly remove the mapping in the registry, or a user deletes the program folder which leaves the URL mapping to a invalid file. On a default installation of Windows the buffer overflow does exist although exploiting it is impossible (as far as we know) because there are no default URL handlers pointing to a file that doesn't exist. However, over time after programs are installed and removed a system will become vulnerable. This vulnerability is a local vulnerability although because of the integrated nature of windows it is possible to exploit this vulnerability remotely using any program that supports URL. For example we could email this attack URL within an Outlook email or we could put this attack URL within an "evil web page" and then get users to visit the web page. There are many different ways to remotely make a system process these "evil URL's" in order to gain control. When you exploit this vulnerability, locally or remotely, your code will execute with the permissions of that of the user being attacked. So if the user executing this evil URL is Administrator then your attack code will execute as Administrator. There are a few variables to a system being vulnerable to this buffer overflow however we still encourage users to install the Microsoft patch as soon as possible. Vendor Status: Microsoft has released a patch and security bulletin which is located at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-014.asp CVE ID: CAN-2002-0070 This is a candidate for inclusion in the CVE list http://cve.mitre.org which standardizes names for security problems. Credit: Marc Maiffret Related Links: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS02-014.asp Greetings: Mr. Self Destruct and his Lollipop Copyright (c) 1998-2002 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com info@eEye.com
