Bugtraqmailing list archives
KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow Issue
From: fRoGGz () securityfocus com
Date: 9 Sep 2005 16:11:10 -0000
VULNERABLE PRODUCT------------------Software: KillProcessPlatforms: WindowsVersion: 2.20 and priorsOriginal advisorie:http://sbox.nightmail.ru--------------------------BACKGROUND----------This funny application can terminate any Windows process with the click of a button. It can also prevent unwanted processes from ever executing by scanning the active process list for unwanted processes and terminating them on sight.Source:http://orangelampsoftware.comDESCRIPTION-------------A malicious .exe file with a long FileDescription in version resource can generatea local exploitation of a buffer overflow and allows attackers to execute arbitrary code.PROOF OF CONCEPT----------------I've code a 2,78 Ko PoC.FileDescription have been set to A x 544 bytes.PoC is available here:http://sbox.nightmail.ru/KillProc_PoC.exeThere is another little bug, but not really dangerous.If you add an application to killlist, then lunch it. Ok, boom ...But if you start XX same process at the same time, all applications will not be killed.ANALYSIS--------Exploitation of the described vulnerability allows attackers toexecute arbitrary code under the context of the user who started Process Explorer.Exploitation requires that an attacker convince a target user to view properties ofmalicious executable file with a vulnerable version of Process Explorer.VENDOR STATUS-------------Vendor have been contacted.Thanks------Greet's fly out to ATmaCA. This idea was first credit by Kozan.It was on Jul 20 2005, for another software, so thanks to him ;)CREDiTS----------------------SecuBox Labs - fRoGGzweb: secubox.teria.org--------------------------
Current thread:
- KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow IssuefRoGGz (Sep 09)
- <Possible follow-ups>
- KillProcess 2.20 and priors "FileDescription" Local Buffer Overflow IssuefRoGGz (Sep 09)