[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability
From: <ipatches@xxxxxxxxxxxx>
Date: Tue, 15 Nov 2005 15:25:02 -0800

> IV. DETECTION
> 
> The following applications have been confirmed to be vulnerable:
> 
> Vendor:         RealNetworks
> Application:    RealPlayer 10.5
> Files:          realplay.exe
>                 realjbox.exe
>                            
> Vendor:         Kaspersky
> Application:    Kaspersky Anti-Virus for Windows File Servers 5.0 
(English) - Installation File
> Files:          kav5.0trial_winfsen.exe
> 
> Vendor:         Apple
> Application:    iTunes 4.7.1.30
> Files:          iTunesHelper.exe
> 
> Vendor:         VMWare
> Application:    VMWare Workstation 5.0.0 build-13124
> Files:          VMwareTray.exe
>                 VMwareUser.exe
>                            
> Vendor:         Microsoft
> Application:    Microsoft Antispyware 1.0.509 (Beta 1)
> Files:          GIANTAntiSpywareMain.exe
>                 gcASNotice.exe
>                 gcasServ.exe
>                 gcasSWUpdater.exe
>                 GIANTAntiSpywareUpdater.exe
I think this is not so serious vulnerability. Programs in the list 
are not a service so c:\Program.exe can only run as another user on 
same computer. I think C:\ cannot be write on Windows XP for unless 
Administrator, so I think this only effects to Windows 2000. Also 
c:\Program Files cannot be write unless Administrator on any 
Windows version.

> It is a known issue, that if lpApplicationName contains a 
> NULL value and the full module path in the lpCommandLine 
> variable contains white space and is not enclosed in 
> quotation marks, it is possible that an alternate application 
> will be executed.
> This is a known issue, discussed directly in the 
> API documentation:
> 
> http://msdn.microsoft.com/library/en-
us/dllproc/base/createprocessasuser.asp
> Note: The vulnerability in Microsoft Antispyware was 
> previously discussed on the Full-Disclosure mailing list
> (http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/0
33909.html)
> but remains unpatched.
This is very old and classical vulnerability and is not so severe, 
maybe it only effects to Windows 2000 computer with some 
Administrator users, and already it has been discussed many times 
before. It is not surprise that "discoverer" wishes to remain 
anonymous. Maybe he was paid 50$ by iDEFENSE because he was only 
watching in some programs for classical vulnerability? There should 
not be any news story about this.



Concerned about your privacy? Instantly send FREE secure email, no account 
required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Was: n3td3v.com, now: C.Meinel
Next by Date: Re: [Full-disclosure] Was: n3td3v.com, now: C.Meinel
Previous by thread: [Full-disclosure] iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability
Next by thread: [Full-disclosure] freeftpd USER bufferoverflow
Index(es):
- Date
- Thread