[Seguridad] Sysinternals Process Explorer desbordamiento de buffer...

20/08/2005 - 21:00 por slag | Informe spam
Sysinternals Process Explorer Buffer Overflow in Processing
CompanyName Values Lets Remote Users Execute Arbitrary Code

SecurityTracker Alert ID: 1014742
SecurityTracker URL: http://securitytracker.com/id?1014742
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 19 2005
Impact: Execution of arbitrary code via network, User access via
Exploit Included: Yes

Description: ATmaCA reported a vulnerability in Process Explorer. A
remote user can cause arbitrary code to be executed by the target

The software contains a buffer overflow in the parsing of the
CompanyName VersionInfo data of a running process. A remote user can
create an executable file with a specially crafted, long CompanyName
value. When the target user views the properties of the executable
while the executable is running, arbitrary code may execute. The code
will run with the privileges of the user running Process Explorer.

The vendor was notified on July 20, 2005.

A demonstration exploit file is available at:


Impact: A remote user can create an executable that, when examined by
the target user with Process Explorer, will execute arbitrary code on
the target user's system. The code will run with the privileges of the
target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.sysinternals.com/Utilities/ProcessExplorer.html
(Links to External Site)

Cause: Boundary error
Underlying OS: Windows (Any)
Reported By: <atmaca@icqmail.com>
Message History: None.

Source Message Contents
Date: Fri, 19 Aug 2005 10:52:14 -0700
From: <atmaca@icqmail.com>
Subject: SysInternals Process Explorer VersionInfo Buffer Overflow

==Application: Process Explorer
Platforms: Windows
Bug: buffer-overflow
Exploitation: local
Date: Jul 20 2004
Author: ATmaCA
e-mail: atmaca@icqmail.com
web: http://www.atmacasoft.com
Credit: Kozan


Ever wondered which program has a particular file or directory open?
Now you can find out.

Process Explorer shows you information about which handles and DLLs
processes have opened or loaded.


Local exploitation of a buffer overflow vulnerability in Process
Explorer allows attackers to execute arbitrary code.

The problem specifically exists when parsing VersionInfo resource of
running executable files that contain long CompanyName entries.

An example malicious .exe file with a long CompanyName name in version

BLOCK "StringFileInfo"
BLOCK "040904E4"
VALUE "CompanyName", "AAAAAAAA...[A x 2302 bytes is where the EIP

'[A x 2302]' represents any string of 2302 bytes in
length. Viewing properties of running malicious executable on the
Microsoft Windowsplatform will cause Process Explorer to crash with an
access violation when attempting to execute instruction 0x34333231,
which is the little-endian ASCII code representation of '1234'. An
attacker can exploit this vulnerability to redirect the flow of
control and eventually execute arbitrary code. This example is
specific to the Microsoft Windows platform.


Exploitation of the described vulnerability allows attackers to
execute arbitrary code under the context of the user who started
Process Explorer.

Exploitation requires that an attacker convince a target user to view
properties of malicious executable file with a vulnerable version of
Process Explorer.


Process Explorer as installed on the Microsoft Windows
platform is affected. Earlier versions may also be susceptible.


07/20/2005 Initial vendor notification
07/29/2005 Initial vendor response
08/19/2005 Public disclosure


Usenet Zone Free Binaries Usenet Server
More than 140,000 groups
Unlimited download
http://www.usenetzone.com to open account

Leer las respuestas

#1 Ramón Sola [MVP Windows - Shell/User]
21/08/2005 - 13:23 | Informe spam
Hash: SHA1

La nueva versión 9.24 ya no presenta ese síntoma.


Ramón Sola / / MVP Windows - Shell/User
Para obtener la dirección correcta no hacen falta los sellos.
Por favor, usar el correo sólo para cuestiones ajenas a los
grupos de noticias, gracias.

Cuentan que un falso "slag" escribió en el
mensaje news: lo siguiente:
Sysinternals Process Explorer Buffer Overflow in Processing
CompanyName Values Lets Remote Users Execute Arbitrary Code

[...y aparte de poner el enlace a la página, pegó su contenido...]

Preguntas similares