Security Advisory 16-jul-2006

 

Vulnerable Products:

Outpost Firewall Pro ver. 3.51.759.6511 (462)

 Lavasoft Personal Firewall ver. 1.0.543.5722 (433)

Novell Border Manager Novell Client Firewall 2.0 (some configurations)

 

Summary of problem: The firewall runs its windows under a SYSTEM context.

A user with lower privileges than SYSTEM could locate the (open folder) control on some

of these windows, terminate the explorer.exe process and then click on the (open folder) control

to open a SYSTEM owned explorer shell logging in right over the top of the previous user Warning Trying this

may cause a certain amount of system instability and or file corruption.

 

A thumbnail demonstrating the vulnerability

presc.jpeg (183459 bytes)

 

Explanation of vulnerabilty: This vulnerabilty results from not checking if there is a current instance 

of explorer.exe before shelling a folder to view. Consequently when the explorer.exe count is zero and launching ShellExecute

to view the folder produces an unexpected result (Appears to be a fault in ShellExecute API?).  This programming error maybe expected 

to occur in any program whenever ShellExecute is called to view a folder, when explorer.exe count is zero.

 

Exploit: none necessary.

Timeline:

    Discovered 10-jul-2006

   Vendor notified 12-jul-2006

   Vendor responded, assigning ticket number: sb-03-037491-001-t (BTS16825) 13-jul-2006

   No fix is available as yet

 

seo forum   |  Australian Web Directory