lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue Nov 15 23:25:29 2005
From: ipatches at hushmail.com (ipatches@...hmail.com)
Subject: iDEFENSE Security Advisory 11.15.05: Multiple
	Vendor Insecure Call to CreateProcess() Vulnerability

> IV. DETECTION
> 
> The following applications have been confirmed to be vulnerable:
> 
> Vendor:         RealNetworks
> Application:    RealPlayer 10.5
> Files:          realplay.exe
>                 realjbox.exe
>                            
> Vendor:         Kaspersky
> Application:    Kaspersky Anti-Virus for Windows File Servers 5.0 
(English) - Installation File
> Files:          kav5.0trial_winfsen.exe
> 
> Vendor:         Apple
> Application:    iTunes 4.7.1.30
> Files:          iTunesHelper.exe
> 
> Vendor:         VMWare
> Application:    VMWare Workstation 5.0.0 build-13124
> Files:          VMwareTray.exe
>                 VMwareUser.exe
>                            
> Vendor:         Microsoft
> Application:    Microsoft Antispyware 1.0.509 (Beta 1)
> Files:          GIANTAntiSpywareMain.exe
>                 gcASNotice.exe
>                 gcasServ.exe
>                 gcasSWUpdater.exe
>                 GIANTAntiSpywareUpdater.exe
I think this is not so serious vulnerability. Programs in the list 
are not a service so c:\Program.exe can only run as another user on 
same computer. I think C:\ cannot be write on Windows XP for unless 
Administrator, so I think this only effects to Windows 2000. Also 
c:\Program Files cannot be write unless Administrator on any 
Windows version.

> It is a known issue, that if lpApplicationName contains a 
> NULL value and the full module path in the lpCommandLine 
> variable contains white space and is not enclosed in 
> quotation marks, it is possible that an alternate application 
> will be executed.
> This is a known issue, discussed directly in the 
> API documentation:
> 
> http://msdn.microsoft.com/library/en-
us/dllproc/base/createprocessasuser.asp
> Note: The vulnerability in Microsoft Antispyware was 
> previously discussed on the Full-Disclosure mailing list
> (http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/0
33909.html)
> but remains unpatched.
This is very old and classical vulnerability and is not so severe, 
maybe it only effects to Windows 2000 computer with some 
Administrator users, and already it has been discussed many times 
before. It is not surprise that "discoverer" wishes to remain 
anonymous. Maybe he was paid 50$ by iDEFENSE because he was only 
watching in some programs for classical vulnerability? There should 
not be any news story about this.



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ