Security Advisory 16-jul-2006
Vulnerable Products:
Outpost Firewall Pro
ver. 3.51.759.6511 (462)
Lavasoft Personal Firewall ver. 1.0.543.5722 (433)
Novell Border Manager Novell Client Firewall 2.0 (some configurations)
Summary of problem: The firewall runs its windows under a SYSTEM context.
A user with lower privileges than SYSTEM could locate the (open folder) control on some
of these windows, terminate the explorer.exe process and then click on the (open folder) control
to open a SYSTEM owned explorer shell logging in right over the top of the previous user Warning Trying this
may cause a certain amount of system instability and or file corruption.
A thumbnail demonstrating the vulnerability
Explanation of vulnerabilty: This vulnerabilty results from not checking if there is a current instance
of explorer.exe before shelling a folder to view. Consequently when the explorer.exe count is zero and launching ShellExecute
to view the folder produces an unexpected result (Appears to be a fault in ShellExecute API?). This programming error maybe expected
to occur in any program whenever ShellExecute is called to view a folder, when explorer.exe count is zero.
Exploit: none necessary.
Timeline:
Discovered 10-jul-2006
Vendor notified 12-jul-2006
Vendor responded, assigning ticket number: sb-03-037491-001-t (BTS16825) 13-jul-2006
No fix is available as yet