|
Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
|
|
|
|
|
Secunia Advisory:
|
SA26800
|
|
|
Release Date:
|
2007-09-17
|
|
Last Update:
|
2007-09-21
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| OS: | Microsoft Windows XP Professional
|
|
| | CVE reference: | CVE-2007-4916 (Secunia mirror)
|
|
|
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released! |
|
|
Description:
Jonathan Sarba has discovered a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error in the "FindFile()" function of the CFileFind class in mfc42.dll and mfc42u.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long argument to the affected function.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed on a fully-patched Windows XP SP2 including mfc42.dll version 6.2.4131.0 and mfc42u.dll version 6.2.8071.0.
The following products are currently known to have vectors allowing exploitation:
* HP All-in-One Series Web Release software/driver installer version 2.1.0
* HP Photo & Imaging Gallery version 1.1
Other versions and applications using the vulnerable library may also be affected.
Solution:
Restrict access to applications allowing user-controlled input to be passed to the vulnerable function.
Applications using the vulnerable library should check the length of the user input before passing it to the affected function.
Provided and/or discovered by:
Jonathan Sarba, GoodFellas Security Research Team.
Changelog:
2007-09-19: Added CVE reference.
2007-09-21: Added link to US-CERT.
Original Advisory:
http://goodfellas.shellcode.com.ar/own/VULWKU200706142
Other References:
US-CERT VU#611008:
http://www.kb.cert.org/vuls/id/611008
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
225 Related Secunia Security Advisories, displaying 10
|
|
|
1. Microsoft Windows DNS Spoofing Vulnerabilities
|
|
2. Microsoft Windows Pragmatic General Multicast Denial of Service
|
|
3. Microsoft Windows Active Directory LDAP Request Processing Denial of Service
|
|
4. Microsoft DirectX MJPEG/SAMI File Processing Vulnerabilities
|
|
5. Microsoft Windows Speech Recognition Security Issue
|
|
6. Apple Safari on Windows Code Execution Vulnerability
|
|
7. Microsoft Windows XP I2O Utility Filter Driver Privilege Escalation
|
|
8. Microsoft Windows Bluetooth SDP Packet Processing Vulnerability
|
|
9. Microsoft Windows Privilege Escalation Vulnerability
|
|
10. Microsoft Windows Kernel Privilege Escalation Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
