|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Windows: buffer overflow of UpdateFrameTitleForDocument
Synthesis of the vulnerability
An attacker can invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Vulnerable systems: Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP.
Severity of this threat: 2/4.
Consequences of an attack: user access/rights.
Pirate's origin: document.
Creation date: 06/07/2010.
Références of this weakness: 2387149, BID-41333, CERTA-2010-AVI-484, CVE-2010-3227, MS10-074, VIGILANCE-VUL-9740.
Description of the vulnerability
The mfc42.dll library provides the class CFrameWnd, containing the UpdateFrameTitleForDocument() method which changes the name of the window:
public void UpdateFrameTitleForDocument(LPCTSTR lpszDocName);
However, if the lpszDocName parameter is too long, a buffer overflow occurs. This overflow leads to code execution with privileges of the current user.
A remote attacker cannot directly exploit this vulnerability. However, some applications such as Trident Software PowerZip change the title from data coming from an untrusted source (a ZIP file in this case).
An attacker can therefore invite the victim to open a document with an application which changes the title of the window with UpdateFrameTitleForDocument(), in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides systems vulnerabilities analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.