From: Russ (Russ.CooperRC.ON.CA)
Date: Tue Oct 21 2003 - 16:27:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bulletin URL:
http://www.microsoft.com/technet/security/bulletin/MS03-045.asp

Summary:
  Version Number: V1.0
  Revision Date: 10-15-2003
  Impact of Vulnerability: Local Elevation of Privilege
  Maximum Severity Rating: Important
  Patch(es) Replaced: None
  Caveats: None
  CVE Number(s): CAN-2003-065

Tested Software:
  Affected Software:
  * Microsoft Windows NT Workstation 4.0, Service Pack 6a
<http://www.ntbugtraq.com/link/5EA88ABE-8D53-4E25-959C-E80EB5FD7A91.asp>
  * Microsoft Windows NT Server 4.0, Service Pack 6a
<http://www.ntbugtraq.com/link/F3E87075-AAE5-49F4-9D37-24A116296188.asp>
  * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service
Pack 6
<http://www.ntbugtraq.com/link/0ADC8D90-2355-49A0-976B-57281B4521C1.asp>
  * Microsoft Windows 2000, Service Pack 2
<http://www.ntbugtraq.com/link/01358EAC-F1C5-4CB7-BE3D-64459F4AD3FD.asp>
  * Microsoft Windows 2000 Service Pack 3, Service Pack 4
<http://www.ntbugtraq.com/link/379F234D-CE7E-4897-8D29-0764997F1E42.asp>
  * Microsoft Windows XP Gold, Service Pack 1
<http://www.ntbugtraq.com/link/ABC764AC-5B7B-4B99-BF3E-F57352E4C507.asp>
  * Microsoft Windows XP 64 bit Edition
<http://www.ntbugtraq.com/link/3E7B03BF-2231-4069-B76F-0BD69CF6E1D9.asp>
  * Microsoft Windows XP 64 bit Edition Version 2003
<http://www.ntbugtraq.com/link/E4BD7C05-EA0E-49C7-9BDD-ABB496CA87CA.asp>
  * Microsoft Windows Server 2003
<http://www.ntbugtraq.com/link/02F97DE4-29DF-4D33-A33B-E7630349E69E.asp>
  * Microsoft Windows Server 2003 64 bit Edition
<http://www.ntbugtraq.com/link/E4BD7C05-EA0E-49C7-9BDD-ABB496CA87CA.asp>

  Software Not Affected:
  * Microsoft Windows Millennium Edition

Technical Description:
A vulnerability exists because the ListBox control and the ComboBox
control both call a function, which is located in the User32.dll file,
that contains a buffer overrun. The function does not correctly validate
the parameters that are sent from a specially-crafted Windows message.
Windows messages provide a way for interactive processes to react to
user events (for example, keystrokes or mouse movements) and to
communicate with other interactive processes. A security vulnerability
exists because the function that provides the list of accessibility
options to the user does not correctly validate Windows messages that
are sent to it. One process in the interactive desktop could use a
specific Windows message to cause the ListBox control or the ComboBox
control to execute arbitrary code. Any program that implements the
ListBox control or the ComboBox control could allow code to be
executed at an elevated level of administrative credentials, as long as
the program is running at an elevated level of privileges (for example,
Utility Manager in Windows 2000). This could include third-party
applications. An attacker who had the ability to log on to a system
interactively could run a program that could send a specially-crafted
Windows message to any applications that have implemented the ListBox
control or the ComboBox control, causing the application to take any
action an attacker specified. This could give an attacker complete
control over the system by using Utility Manager in Windows 2000.
This email is sent to NTBugtraq automatically as a service to my
subscribers. (v2.0)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, butt covering, and bureaucracy are threatening to derail any
chance of making progress.
-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]