Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: o-009.txt

Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities (CIAC O-009)





             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
                     [Microsoft Security Bulletin MS03-045]

October 16, 2003 14:00 GMT                                        Number O-009
[REVISED 17 Oct 2003]
[REVISED 30 Oct 2003]
______________________________________________________________________________
PROBLEM:       A vulnerability exists because the ListBox control and the 
               ComboBox control both call a function, which is located in the 
               User32.dll file, that contains a buffer overrun. The function 
               does not correctly validate the parameters that are sent to it. 
               The controls can be made to run arbitrary code in the security 
               context of the program that contains the control. 
SOFTWARE:      MS Windows NT Workstation 4.0, Service Pack 6a 
               MS Windows NT Server 4.0, Service Pack 6a 
               MS Windows NT Server 4.0, Terminal Server Edition, Service 6 
               MS Windows 2000, Service Pack 2 
               MS Windows 2000, Service Pack 3, Service Pack 4 
               MS Windows XP Gold, Service Pack 1 
               MS Windows XP 64-bit Edition 
               MS Windows XP 64-bit Edition Version 2003 
               MS Windows Server 2003 
               MS Windows Server 2003 64-bit Edition 
DAMAGE:        A local attacker who has the ability to log onto a system 
               interactively could run a program that could send a 
               specially-crafted Windows message to any applications that have 
               implemented the ListBox or the ComboBox controls, causing the 
               application to take any action an attacker specified. This 
               could give an attacker complete control over the system by 
               using Utility Manager in Windows 2000 which runs with 
               Administrator privileges. 
SOLUTION:      Apply appropriate patches or implement workarounds. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker with a user account could 
ASSESSMENT:    elevate their privileges to the Administrator level. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-009.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?url=
                     /technet/security/bulletin/MS03-045.asp 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2003-0659 
 ADDITIONAL LINKS:   CERT Advisory CA-2003-27
                     http://www.cert.org/advisories/CA-2003-27.html
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.

10/30/03 - Microsoft released a revised security patch for Windows XP,
           to address the problem described in their Knowledge Base Article 
           #830846 where installation of the previous patch may stop 
           responding (hang). The revised patch contains version 5.4.1.0 of 
           Update.exe. Version 5.4.1.0 or later versions of Update.exe no 
           longer require the Debug Programs user right. 

[***** Start Microsoft Security Bulletin MS03-045 *****]

Microsoft Security Bulletin MS03-045  

Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code 
Execution 
(824141)
Issued: October 15, 2003
Version Number: 1.0 


Summary

Who Should Read This Document: Customers using Microsoft® Windows®

Impact of Vulnerability: Local Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should install this security patch at the earliest 
opportunity

Patch Replacement: None

Caveats: None

Tested Software and Patch Download Locations: 

Affected Software: 

* Microsoft Windows NT Workstation 4.0, Service Pack 6a – Download the patch 
* Microsoft Windows NT Server 4.0, Service Pack 6a – Download the patch 
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 – 
  Download the patch 
* Microsoft Windows 2000, Service Pack 2 – Download the patch 
* Microsoft Windows 2000 Service Pack 3, Service Pack 4 – Download the patch 
* Microsoft Windows XP Gold, Service Pack 1 – Download the patch 
* Microsoft Windows XP 64 bit Edition – Download the patch 
* Microsoft Windows XP 64 bit Edition Version 2003 – Download the patch 
* Microsoft Windows Server 2003 – Download the patch 
* Microsoft Windows Server 2003 64 bit Edition – Download the Patch 

Non Affected Software: 

* Microsoft Windows Millennium Edition 

The software listed above has been tested to determine if the versions are affected. 
Other versions are no longer supported, and may or may not be affected. 


Technical Details

Technical Description:

A vulnerability exists because the ListBox control and the ComboBox control both call 
a function, which is located in the User32.dll file, that contains a buffer overrun. 
The function does not correctly validate the parameters that are sent from a specially-
crafted Windows message. Windows messages provide a way for interactive processes to 
react to user events (for example, keystrokes or mouse movements) and to communicate 
with other interactive processes. A security vulnerability exists because the function 
that provides the list of accessibility options to the user does not correctly validate 
Windows messages that are sent to it. One process in the interactive desktop could use 
a specific Windows message to cause the ListBox control or the ComboBox control to 
execute arbitrary code. Any program that implements the ListBox control or the ComboBox 
control could allow code to be executed at an elevated level of administrative credentials, 
as long as the program is running at an elevated level of privileges (for example, Utility 
Manager in Windows 2000). This could include third-party applications.

An attacker who had the ability to log on to a system interactively could run a program 
that could send a specially-crafted Windows message to any applications that have 
implemented the ListBox control or the ComboBox control, causing the application to take 
any action an attacker specified. This could give an attacker complete control over the 
system by using Utility Manager in Windows 2000.


Mitigating factors: 

* An attacker must have valid logon credentials to exploit the vulnerability. The 
  vulnerability could not be exploited remotely. 
* Properly-secured systems are at little risk from this vulnerability. Standard best 
  practices recommend only allowing trusted users to log on to systems interactively. 
* Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are affected by this 
  vulnerability in the ListBox control and in the ComboBox control. However, in Windows 
  XP and in Windows Server 2003, Utility Manager runs under the context of the logged-on 
  user and does not allow for elevation of privileges. Windows NT 4.0 does not implement 
  Utility Manager. 


Severity Rating:

Microsoft Windows NT 4.0                                     Low 
Microsoft Windows NT Server 4.0, Terminal Server Edition     Low 
Microsoft Windows 2000                                    Important 
Microsoft Windows XP                                         Low 
Microsoft Windows Server 2003                                Low 


The above assessment is based on the types of systems that are affected by the 
vulnerability, their typical deployment patterns, and the effect that exploiting the 
vulnerability would have on them.

Vulnerability identifier: CAN-2003-0659 


Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the 
underlying vulnerability however they help block known attack vectors. Workarounds may 
cause a reduction in functionality in some cases - in such situations this is identified 
below.

* Disable the Utility Manager on all affected systems that do not need this feature 
  through software polices 
  
  Since the Utility Manager Service is a possible attack vector this can be disabled using 
  software restriction polices within Active Directory or within the Local Security Policy. 
  The Utility Manager process name is utilman.exe. You may use the following software 
  restriction policy guides to help prevent users from accessing this file:

  * Using Software Restriction Policies to Protect Against Unauthorized Software 
  * HOW TO: Use Software Restriction Policies in Windows Server 2003 (324036) 
  * Protect Your System from Viruses (Using Software Restriction Polices) 
  * To create new software restriction policies 


Impact of Vulnerability:

The Utility Manager Service provides many of the accessibility features of the operating 
system. These would be unavailable until the restrictions are removed.


Security Patch Information

Installation platforms and Prerequisites: 

For information about the specific security patch for your platform, click the appropriate 
link: 

* Windows Server 2003 (all versions)
* Windows XP (all versions)
* Windows 2000 (all versions)
* Windows NT 4.0 (all versions)


Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

* Brett Moore of Security-Assessment.com for reporting the issue in MS03-045. 


Obtaining other security patches:

Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most 
  easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 


Support:

* Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. 
  There is no charge for support calls associated with security patches. 


Security Resources: 

* The Microsoft TechNet Security Web Site provides additional information about security in 
  Microsoft products. 
* Microsoft Software Update Services: http://www.microsoft.com/sus/ 
* Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. 
  Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of 
  security patches that have detection limitations with MBSA tool. 
* Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
* Windows Update: http://windowsupdate.microsoft.com 
* Office Update: http://office.microsoft.com/officeupdate/ 


Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In no 
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or limitation of 
liability for consequential or incidental damages so the foregoing limitation may not 
apply. 


Revisions:

* V1.0 (October 15, 2003): Bulletin published.

[***** End Microsoft Security Bulletin MS03-045 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-158: CERT/CC Vulnerability Note Portable OpenSSH server PAM
N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH