Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: iDEFENSE Security Advisory 11.15.05: Multiple Vendor Insecure Call to CreateProcess() Vulnerability

From: <ipatches () hushmail com>
Date: Tue, 15 Nov 2005 15:25:02 -0800
IV. DETECTION

The following applications have been confirmed to be vulnerable:

Vendor:         RealNetworks
Application:    RealPlayer 10.5
Files:          realplay.exe
                realjbox.exe
                           
Vendor:         Kaspersky
Application:    Kaspersky Anti-Virus for Windows File Servers 5.0 

(English) - Installation File

Files:          kav5.0trial_winfsen.exe

Vendor:         Apple
Application:    iTunes 4.7.1.30
Files:          iTunesHelper.exe

Vendor:         VMWare
Application:    VMWare Workstation 5.0.0 build-13124
Files:          VMwareTray.exe
                VMwareUser.exe
                           
Vendor:         Microsoft
Application:    Microsoft Antispyware 1.0.509 (Beta 1)
Files:          GIANTAntiSpywareMain.exe
                gcASNotice.exe
                gcasServ.exe
                gcasSWUpdater.exe
                GIANTAntiSpywareUpdater.exe

I think this is not so serious vulnerability. Programs in the list 
are not a service so c:\Program.exe can only run as another user on 
same computer. I think C:\ cannot be write on Windows XP for unless 
Administrator, so I think this only effects to Windows 2000. Also 
c:\Program Files cannot be write unless Administrator on any 
Windows version.


It is a known issue, that if lpApplicationName contains a 
NULL value and the full module path in the lpCommandLine 
variable contains white space and is not enclosed in 
quotation marks, it is possible that an alternate application 
will be executed.
This is a known issue, discussed directly in the 
API documentation:

http://msdn.microsoft.com/library/en-

us/dllproc/base/createprocessasuser.asp

Note: The vulnerability in Microsoft Antispyware was 
previously discussed on the Full-Disclosure mailing list
(http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/0

33909.html)

but remains unpatched.

This is very old and classical vulnerability and is not so severe, 
maybe it only effects to Windows 2000 computer with some 
Administrator users, and already it has been discussed many times 
before. It is not surprise that "discoverer" wishes to remain 
anonymous. Maybe he was paid 50$ by iDEFENSE because he was only 
watching in some programs for classical vulnerability? There should 
not be any news story about this.



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: