Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability
From: <ipatches () hushmail com>
Date: Tue, 15 Nov 2005 15:25:02 -0800
IV. DETECTION The following applications have been confirmed to be vulnerable: Vendor: RealNetworks Application: RealPlayer 10.5 Files: realplay.exe realjbox.exe Vendor: Kaspersky Application: Kaspersky Anti-Virus for Windows File Servers 5.0
(English) - Installation File
Files: kav5.0trial_winfsen.exe Vendor: Apple Application: iTunes 4.7.1.30 Files: iTunesHelper.exe Vendor: VMWare Application: VMWare Workstation 5.0.0 build-13124 Files: VMwareTray.exe VMwareUser.exe Vendor: Microsoft Application: Microsoft Antispyware 1.0.509 (Beta 1) Files: GIANTAntiSpywareMain.exe gcASNotice.exe gcasServ.exe gcasSWUpdater.exe GIANTAntiSpywareUpdater.exe
I think this is not so serious vulnerability. Programs in the list are not a service so c:\Program.exe can only run as another user on same computer. I think C:\ cannot be write on Windows XP for unless Administrator, so I think this only effects to Windows 2000. Also c:\Program Files cannot be write unless Administrator on any Windows version.
It is a known issue, that if lpApplicationName contains a NULL value and the full module path in the lpCommandLine variable contains white space and is not enclosed in quotation marks, it is possible that an alternate application will be executed. This is a known issue, discussed directly in the API documentation: http://msdn.microsoft.com/library/en-
us/dllproc/base/createprocessasuser.asp
Note: The vulnerability in Microsoft Antispyware was previously discussed on the Full-Disclosure mailing list (http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/0
33909.html)
but remains unpatched.
This is very old and classical vulnerability and is not so severe, maybe it only effects to Windows 2000 computer with some Administrator users, and already it has been discussed many times before. It is not surprise that "discoverer" wishes to remain anonymous. Maybe he was paid 50$ by iDEFENSE because he was only watching in some programs for classical vulnerability? There should not be any news story about this. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability ipatches (Nov 15)