Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:152867
HistoryApr 08, 2002 - 12:00 a.m.

Buffer overflow in Microsoft Windows Shell

2002-04-0800:00:00
www.kb.cert.org
18

0.073 Low

EPSS

Percentile

94.1%

JSON

Overview

A remotely exploitable buffer overflow exists in the Microsoft Windows Shell.

Description

There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Quoting from Microsoft Security Bulletin MS02-014:

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user’s computing session, including organizing files and folders, and providing the means to start applications.

The Windows Shell contains a function designed to locate applications that have been incompletely removed from the system. According to MS02-014, this function contains an unchecked buffer. If an attacker invokes this function and passes an unusually large amount of data to it (“324 or so bytes” according to the eEye Digital Security Advisory [AD20020308]), the attacker can exploit the buffer overflow and execute arbitrary code on the target host or crash the Windows Shell. If the attacker were to execute arbitrary code, it would run with the privileges of the victim.

It is important to note that this vulnerability is not remotely exploitable by default. However, if the correct preconditions exist, a remote attacker can exploit this vulnerability. Quoting from MS02-014:

By default, this is not remotely exploitable. However, under very unusual conditions, it could be exploited via a web page. Specifically, if the user has installed, then uninstalled an application with custom URL handlers, and the application’s uninstall routine failed to correctly remove the application completely, an attacker could attempt to mount an attack by constructing an HTML web page that seeks to overrun the buffer. Such a web page could be delivered either by posting it on a web site or sending it by email.

For more details, please see MS02-014 and/or AD20020308.

Impact

An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.

Solution

Apply the patches available from Microsoft Corporation at <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-014.asp&gt;. At the time this document was written, the patches were available from:

* Windows 98 [_http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015_](&lt;http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015&gt;)
* Windows NT 4.0 [_http://www.microsoft.com/downloads/release.asp?ReleaseID=36867_](&lt;http://www.microsoft.com/downloads/release.asp?ReleaseID=36867&gt;)
* Windows NT 4.0 with Active Desktop [_http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015_](&lt;http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015&gt;)
* Windows NT 4.0 Terminal Server Edition [_http://www.microsoft.com/downloads/release.asp?ReleaseID=36869_](&lt;http://www.microsoft.com/downloads/release.asp?ReleaseID=36869&gt;)
* Windows NT 2000 [_http://www.microsoft.com/downloads/release.asp?ReleaseID=36880_](&lt;http://www.microsoft.com/downloads/release.asp?ReleaseID=36880&gt;)

Vendor Information

152867

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Updated: March 11, 2002

Status

Affected

Vendor Statement

Please see <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-014.asp&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23152867 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center thanks Microsoft Corporation for their advisory, on which this document is based. Microsoft credits eEye Digital Security for discovering this vulnerability.

This document was written by Ian A. Finlay.

Other Information

CVE IDs: CVE-2002-0070
Severity Metric: 7.20 Date Public:

Related

seebug 1
nessus 1
cvelist 1
securityvulns 1
cve 1
seebug
seebug
MS02-014:Windows Shell 未检查缓冲器 - NT4
2008-07-16 00:00:00
nessus
nessus
MS02-014: Unchecked buffer in Windows Shell (313829)
2003-03-02 00:00:00
cvelist
cvelist
CVE-2002-0070
2002-06-25 04:00:00
securityvulns
securityvulns
ADVISORY: Windows Shell Overflow
2002-03-12 00:00:00
cve
cve
CVE-2002-0070
2002-03-15 05:00:00

0.073 Low

EPSS

Percentile

94.1%

JSON
Related for VU:152867
seebug1nessus1cvelist1securityvulns1cve1