Software Engineering Institute

There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Quoting from Microsoft Security Bulletin MS02-014:

The Windows Shell is responsible for providing the basic framework of the Windows user interface experience. It is most familiar to users as the Windows Desktop, but also provides a variety of other functions to help define the user's computing session, including organizing files and folders, and providing the means to start applications.

The Windows Shell contains a function designed to locate applications that have been incompletely removed from the system. According to MS02-014, this function contains an unchecked buffer. If an attacker invokes this function and passes an unusually large amount of data to it ("324 or so bytes" according to the eEye Digital Security Advisory [AD20020308]), the attacker can exploit the buffer overflow and execute arbitrary code on the target host or crash the Windows Shell. If the attacker were to execute arbitrary code, it would run with the privileges of the victim.

It is important to note that this vulnerability is not remotely exploitable by default. However, if the correct preconditions exist, a remote attacker can exploit this vulnerability. Quoting from MS02-014:

"By default, this is not remotely exploitable. However, under very unusual conditions, it could be exploited via a web page. Specifically, if the user has installed, then uninstalled an application with custom URL handlers, and the application's uninstall routine failed to correctly remove the application completely, an attacker could attempt to mount an attack by constructing an HTML web page that seeks to overrun the buffer. Such a web page could be delivered either by posting it on a web site or sending it by email."

For more details, please see MS02-014 and/or AD20020308.

An attacker can either execute arbitrary code (any such code would run with the privileges of the victim) or crash the Windows Shell.

Apply the patches available from Microsoft Corporation at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-014.asp. At the time this document was written, the patches were available from:

• Windows 98 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015
• Windows NT 4.0 http://www.microsoft.com/downloads/release.asp?ReleaseID=36867
• Windows NT 4.0 with Active Desktop http://www.microsoft.com/Downloads/Release.asp?ReleaseID=37015
• Windows NT 4.0 Terminal Server Edition http://www.microsoft.com/downloads/release.asp?ReleaseID=36869
• Windows NT 2000 http://www.microsoft.com/downloads/release.asp?ReleaseID=36880