Microsoft Windows Briefcase Folder Integer Underflow Vulnerability
A Windows Briefcase Folder is a special type of folder that supports synchronization between itself and another folder. This functionality was introduced in Windows 95, and exists in all currently supported versions of Windows.
Remote exploitation of an integer underflow vulnerability in Microsoft Corp.'s Windows could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing a Briefcase database file inside of a Windows Briefcase folder. When parsing this binary file, the vulnerable code reads a 32-bit integer value from the file that represents the number of volumes present in the file. This value is used to allocate a heap buffer. After allocating the buffer, the same value is then subtracted from and used to control the number of bytes read into the file. The subtraction operation can underflow and become a negative number, which is then passed into a function that interprets the result as an unsigned number. This value is then used to control the number of bytes read into the buffer, which leads to a heap buffer overflow.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the briefcase folder. To exploit this vulnerability, an attacker must convince a user to engage in a substantial amount of user interaction. Since a Windows Briefcase Folder is essentially a regular Windows folder and not a file, an attacker must send the targeted user an archive (ZIP/RAR) with a folder inside of it. The user will have to unpack the archive and enter into the folder to trigger the vulnerability. It is also possible to exploit this vulnerability over SMB and WebDAV, but this will trigger a dialog warning about the safety of such an action.
To exploit this vulnerability, an attacker will need to sculpt the heap in such a way that useful content (such as an object pointer) is located beyond the overflowed buffer.
The following Microsoft products are considered vulnerable:
- Windows Vista SP2
- Windows XP SP3
- Windows 7, SP1
- Windows 8
- Server 2003 SP2
- Server 2008, SP2, R2, R2 SP1
- Server 2012
It is possible to disable access to the DLL that contains the vulnerability. This can be performed with the following command:
C:WINDOWSsystem32>cacls.exe synceng.dll /E /P Everyone:N
This will prevent the Windows Briefcase feature from working.
Additionally, Microsoft has recommended disabling the Briefcase shell extension by editing the registry key associated with the Briefcase shell extension CLSID.
Microsoft Corp. has released patches which addresses this issue. For more information, consult their advisory at the following URL:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-1527 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.
06/06/2012 Initial Vendor Notification
06/06/2012 Initial Vendor Reply
11/13/2012 Coordinated Public Disclosure
This vulnerability was reported to iDefense by Tal Zeltzer.
Get paid for vulnerability research
Free tools, research and upcoming events
Copyright © 2012 Verisign, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.