The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Windows Server 2000

computer vulnerability bulletin 14818

Windows: changing configuration via DHCP INFORM

Synthesis of the vulnerability

An attacker can reply to DHCP INFORM queries of Windows, in order to alter its configuration.
Impacted products: Windows 2000, Windows 2003, Windows XP.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: LAN.
Creation date: 30/05/2014.
Identifiers: VIGILANCE-VUL-14818.

Description of the vulnerability

The DHCP INFORM is used by a client to request a DHCP server to provide additional information (WPAD, DNS, router, etc.).

The DHCP client of Windows implements DHCP INFORM. However, if does not check if replies come from the DHCP server.

An attacker can therefore reply to DHCP INFORM queries of Windows, in order to alter its configuration.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 10562

Microsoft HTML Help: buffer overflow

Synthesis of the vulnerability

An attacker can invite the victim to open a malicious CHM file with Microsoft HTML Help, in order to execute code.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 13/04/2011.
Identifiers: BID-47330, VIGILANCE-VUL-10562.

Description of the vulnerability

Files with a CHM extension are compiled help files for Windows, which are opened with Microsoft HTML Help.

Data are compressed in blocks. Microsoft HTML Help thus uncompresses each block before using it. However, if the size of a block is too large, a buffer overflow occurs.

An attacker can therefore invite the victim to open a malicious CHM file with Microsoft HTML Help, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-0654

Windows AD: buffer overflow of Browser RequestElection

Synthesis of the vulnerability

An attacker can send a large RequestElection packet to the Windows Master Browser, in order to create a denial of service, and possibly to execute code.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 3/4.
Consequences: administrator access/rights, user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 15/02/2011.
Revision date: 18/02/2011.
Identifiers: 2511455, BID-46360, CERTA-2011-AVI-202, CVE-2011-0654, MS11-019, VIGILANCE-VUL-10367, VU#323172.

Description of the vulnerability

The Master Browser computer indicates the list of computers. When there is an AD on the network, the primary domain controller is the default Master Browser, otherwise it is elected with NetBIOS packets (port 138/udp).

The NetBIOS Browser RequestElection packet contains a ServerName field of 16 bytes indicating the name of the server.

However, when the Master Browser receives a packet with a long ServerName field, an integer overflow occurs in the mrxsmb.sys/browser.sys driver, and a copy is done on a large size.

An attacker can therefore send a large RequestElection packet to the Windows Master Browser, in order to create a denial of service, and possibly to execute code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-0020 CVE-2010-0021 CVE-2010-0022

Windows: code execution via the SMB server

Synthesis of the vulnerability

An attacker can connect to the SMB/CIFS server, in order to generate a denial of service or to execute code on the computer.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 10/02/2010.
Revision date: 18/10/2010.
Identifiers: 971468, BID-38049, BID-38051, BID-38054, BID-38085, CERTA-2010-AVI-070, CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231, MS10-012, VIGILANCE-VUL-9436.

Description of the vulnerability

The SMB/CIFS service of Windows is impacted by four vulnerabilities.

An authenticated attacker can send a SMB packet containing a long path, generating a buffer overflow, and leading to code execution with system privileges. [severity:3/4; BID-38049, CERTA-2010-AVI-070, CVE-2010-0020]

An attacker can send a malformed packet during the negotiate phase, in order to block the service. [severity:2/4; BID-38054, CVE-2010-0021]

An attacker can send a SMB packet with an empty share name or server name, in order to generate a NULL pointer dereference, which stops the service. [severity:2/4; BID-38051, CVE-2010-0022]

The server uses a challenge of 8 bytes, which is not sufficiently random. An attacker can therefore use a brute force attack to authenticate. [severity:3/4; BID-38085, CVE-2010-0231]

An attacker can therefore connect to the SMB/CIFS server, in order to generate a denial of service or to execute code on the computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-3332

ASP.NET: information disclosure via Padding Oracle

Synthesis of the vulnerability

An attacker can use ASP.NET as an "oracle" to decrypt information such as the View State object, or read a file such as "web.config".
Impacted products: IIS, .NET Framework, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 20/09/2010.
Identifiers: 2416728, 2418042, BID-43316, CERTA-2010-AVI-458, CVE-2010-3332, MS10-070, SUSE-SU-2012:0393-1, VIGILANCE-VUL-9953.

Description of the vulnerability

An ASP page can use a hidden variable named __VIEWSTATE, containing the state of a form. This View State, as well as cookie content, can be encrypted with AES.

When the size of data is not a multiple of the size of encryption blocks, padding bytes are added. The PKSC#7 padding adds bytes whose value is the padding size. For example:
 - 01
 - 02 02
 - etc.
The clear content of the padding is thus known.

When the padding is invalid, an ASP.NET application generates the System.Security.Cryptography.CryptographicException exception ("Padding is invalid and cannot be removed"). This error message is different from other messages. An ASP.NET application can thus act as an oracle indicating if a block is valid.

An attacker can therefore, one byte at a time, vary the padding to obtain a different error message, and progressively determine the encryption key. The attacker can then for example decrypt the content of View State or cookies. He can also encrypt malicious data and send them to the server, which will interpret them as valid.

With extension, this vulnerability can also be used to read files reachable by the application, such as "web.config".

An attacker can therefore use ASP.NET as an "oracle" to decrypt information such as the View State object, or read a file such as "web.config".
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 9879

Windows: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in the context of the targeted application.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows NT, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 25/08/2010.
Identifiers: 2269637, VIGILANCE-VUL-9879, VU#707943.

Description of the vulnerability

An application can use several DLL libraries (Dynamic Link library).

When an application uses a function of a DLL, it is first loaded via LoadLibrary(), and then the function is called.

If the application does not specify the DLL path, Windows searches the DLL at many places (current directory, system directory, etc.) and loads the first match. When a malicious DLL with the same name is located in the search path, it is thus loaded before the legitimate DLL.

An attacker can therefore place a malicious DLL in a WebDAV of SMB share, and can invite the victim to open a document from this site, in order to execute code in the context of the targeted application.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-2739

Windows: buffer overflow in CreateDIBPalette

Synthesis of the vulnerability

A local attacker can use the clipboard, in order to generate a buffer overflow in the CreateDIBPalette() function, which can lead to code execution.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Creation date: 09/08/2010.
Identifiers: BID-42291, CVE-2010-2739, VIGILANCE-VUL-9817.

Description of the vulnerability

The BITMAPINFOHEADER structure defines characteristics of a DIB image. The biClrUsed field indicates the number of colors used in the palette. The biBitCount field indicate the maximal size of the palette (for example, if biBitCount is set to 8, the number of colors is limited to 256).

The SetClipboardData() function stores data in the Windows clipboard, specifying the type of data. The GetClipboardData() function restores these data, with the requested type.

The CreateDIBPalette() function of win32k.sys extracts the palette of a DIB image. When a user calls "SetClipboardData(CF_DIBV5, ...)" followed by "GetClipboardData(CF_PALETTE)", the CreateDIBPalette() function is called.

However, if the DIB image has a biClrUsed superior to the capacity of biBitCount, a buffer overflow occurs in CreateDIBPalette().

A local attacker can therefore use the clipboard, in order to generate a buffer overflow in the CreateDIBPalette() function, which can lead to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-2568

Windows: code execution via LNK

Synthesis of the vulnerability

An attacker can invite the victim to display a directory containing a malicious link, in order to execute code on his computer.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 16/07/2010.
Identifiers: 2286198, BID-41732, CERTA-2010-AVI-353, CVE-2010-2568, MS10-046, VIGILANCE-VUL-9770, VU#940193.

Description of the vulnerability

A user can create a Windows link, which is a file with the ".LNK" extension pointing to another file.

However, an attacker can create a special LNK file pointing to code located inside the LNK file (a DLL library with a main code which is run). This code is executed when the directory containing the link is displayed. The victim does not have to click on the link.

In order to exploit this vulnerability, the attacker can place the malicious link on a USB drive, a cdrom, a remote share, a local directory or a WebDAV access. The link can also be located inside a malicious document (such as an Office document). MS-DOS programs also use links with the ".PIF" extension.

An attacker can therefore invite the victim to display a directory containing a malicious link, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2010-3227

Windows: buffer overflow of UpdateFrameTitleForDocument

Synthesis of the vulnerability

An attacker can invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 06/07/2010.
Identifiers: 2387149, BID-41333, CERTA-2010-AVI-484, CVE-2010-3227, MS10-074, VIGILANCE-VUL-9740.

Description of the vulnerability

The mfc42.dll library provides the class CFrameWnd, containing the UpdateFrameTitleForDocument() method which changes the name of the window:
  public void UpdateFrameTitleForDocument(LPCTSTR lpszDocName);

However, if the lpszDocName parameter is too long, a buffer overflow occurs. This overflow leads to code execution with privileges of the current user.

A remote attacker cannot directly exploit this vulnerability. However, some applications such as Trident Software PowerZip change the title from data coming from an untrusted source (a ZIP file in this case).

An attacker can therefore invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-0819

Windows: privilege elevation via CFF

Synthesis of the vulnerability

A local attacker can use an OpenType Compact Font Format font, in order to obtain system privileges.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows Vista, Windows XP.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 09/06/2010.
Identifiers: 980218, BID-40572, CERTA-2010-AVI-249, CVE-2010-0819, MS10-037, VIGILANCE-VUL-9693.

Description of the vulnerability

An OpenType CFF (Compact Font Format) font uses outlines specified using PostScript Type 1. The Window Windows OpenType CFF driver implements the support for these fonts.

However, this driver does not correctly validate received data, which corrupts the memory.

A local attacker can therefore use an OpenType Compact Font Format font, in order to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.