SANS ISC: MS05-049 Windows Shell Vulnerability

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

MS05-049: Vulnerabilities in Windows Shell Could Allow Remote Code
Execution(900725)

Impact: Remote Code Execution
Rating: Important
Supercedes: MS05-016 and MS05-024

This bulletin has three Parts to it.

Shell Vulnerability- CAN-2005-2122: A vulnerablity exist in the way that Windows handles the .lnk file extention. A .lnk file is a file that is a shortcut which points to another file and can contain properties that are passed on to the file that it is pointing to. As such, an attacker an attacker taking advantage of this would be able to execute code on the victim's system by getting the victim to open the .lnk file.

Shell Vulnerability - CAN-2005-2118: Same information as above. The main difference appears that instead of opening the .lnk file, the victim only needs to view the properties of the .lnk file.

Web View Script Injection Vulnerability - CAN-2005-2117: This vulnerability deals with Web View format used my Microsoft Explorer to view files and their information. A vulnerability exists in the way that Microsoft handles the validation of HTML characters within certain fields on the files. A attacker taking advantage of this
would be able to take complete control of the victim's system if the vicitim views the malicious file with the Web View format turned on in Explorer.

http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx