|
|
|
|
| |
The Microsoft Windows operating system provides a service which is designed to run a particular application at a given time or date - the Task Scheduler. When a new task is added through the control panel application, a '.job' file containing this information is created and stored in the 'Tasks' folder in the Windows directory.
It has been found that it is possible to create a specially crafted '.job' file which could allow local or remote code execution using a number of different applications as the attack vectors. |
| |
Credit:
The information has been provided by Peter Winter-Smith.
The original article can be found at: http://www.ngssoftware.com/advisories/mstaskjob.txt
|
| |
By crafting a '.job' file which contains overly long parameters, stack based buffers can be overflowed, resulting in critical information, including a saved return address or a structured exception handler structure being completely overwritten, allowing an attacker to direct the code execution flow to an address of their choosing. If the file contains arbitrary executable code, the process can be forced to execute this allowing, in worst cases, complete control over the target system.
The actual vulnerability arises from a lack of boundary checking performed when copying the information out of memory containing the contents of the file into the stack-based buffers.
In some circumstances the overflow is triggered automatically when viewing the directory that contains the job file in an explorer window due to the fact that 'shell32.dll' will detect the '.job' file extension, and load 'mstask.dll' allowing the module to examine the file, which is when the overflow occurs.
Due to the fact that the overflow is triggered by a module loaded within the process space of another running executable, any code which would be executed by exploiting this flaw will be run with the privileges of the user running that application, in the most common cases this would be the user logged on to the machine.
Two applications that have been successfully tested as vectors for exploiting this issue are Windows Explorer and Internet Explorer - when attempting to view network shares containing the '.job' file. File sharing through MSN Messenger has also been proven to be an effective vector for attack. In the case of Internet Explorer, this issue could be exploited simply by viewing a website containing a frame pointing to a network share containing the '.job' file. Please note that there are many other ways of exploiting this issue, this is certainly not an exhaustive list.
Fix Information:
Microsoft have provided a fix for this issue which can be downloaded from the Microsoft Security website at:
http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx
|
|
|
|
|
