Unchecked Buffer in Microsoft's File Decompression Functions

Reported October 2, 2002, byMicrosoft.

VERSIONS AFFECTED

·        Windows XP

·        Windows Me

·        Windows 98 with Plus! Pack

DESCRIPTION

Two vulnerabilities exist in the Windows Compressed Foldersfeature, one of which might let an attacker execute arbitrary code on thevulnerable system. The first vulnerability stems from an uncheckedbuffer in programs that handle decompressing files from zipped files. Attemptsto open a file with a specially malformed filename in a zipped file could resultin Windows Explorer failing, or let an attacker run code of his or her choice onthe vulnerable system.

The second vulnerability involves the decompression featureand could place a file in a directory that isn't the same as, or a child of, thetarget directory that the user specifies as the location where the decompressedzip files should be placed. As a result, an attacker could use thisvulnerability to place a file in a known location on the vulnerable system, suchas the startup directory.

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS02-054(Unchecked Buffer inFile Decompression Functions Could Lead to Code Execution) toaddress these vulnerabilities, and recommends that affected users apply theappropriate patch mentioned in the bulletin.

CREDIT

Joe Testa of Rapid7Inc. and zen-parse.