Vigil@nce: Windows, code execution via SearchPath
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A library downloaded on the desktop can be loaded and leads to
malicious code execution.
Severity: 2/4
Consequences: user access/rights
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 15/04/2009
IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The SearchPath indicates the order of directories to search for
libraries.
However, the SearchPath first contains the desktop before
containing system directories. When a program calls an unloaded
library, and if a file with the library name is located on the
desktop, it is loaded.
This behaviour can therefore be used when the attacker:
– can upload a file on the desktop with no warning (via Apple
Safari for example)
– can force a software to load a new library (via Internet
Explorer opening a new format)
A library downloaded on the desktop can therefore be loaded and
leads to malicious code execution.
CHARACTERISTICS
Identifiers: 959426, BID-29445, CVE-2008-2540, MS09-015,
VIGILANCE-VUL-8633
http://vigilance.fr/vulnerability/Windows-code-execution-via-SearchPath-8633