Thread-topic: [SA20717] Microsoft Windows Object Packager Dialog Spoofing Vulnerability
>
> TITLE:
> Microsoft Windows Object Packager Dialog Spoofing Vulnerability
>
> SECUNIA ADVISORY ID:
> SA20717
>
> VERIFY ADVISORY:
>
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Spoofing, System access
>
> WHERE:
> From remote
>
> OPERATING SYSTEM:
> Microsoft Windows Server 2003 Datacenter Edition
>
> Microsoft Windows Server 2003 Enterprise Edition
>
> Microsoft Windows Server 2003 Standard Edition
>
> Microsoft Windows Server 2003 Web Edition
>
> Microsoft Windows XP Professional
>
>
> DESCRIPTION:
> Secunia Research has discovered a vulnerability in Microsoft Windows,
> which can be exploited by malicious people to conduct spoofing
> attacks.
>
> The vulnerability is caused due to an input validation error in the
> Object Packager (packager.exe) in the handling of the "Command Line"
> property. This can be exploited to spoof the filename and the
> associated file type in the Packager security dialog by including a
> "/" slash character in the "Command Line" property.
>
> Example:
> cmd /c [shell command] /[file].txt
>
> This can further be exploited to execute arbitrary shell commands on
> a user's system by tricking a user into opening and interacting with
> e.g. a malicious Rich Text document or Word document containing an
> embedded Package object in e.g. WordPad.
>
> SOLUTION:
> Apply patches.
>
> Microsoft Windows XP (with SP1 or SP2):
>
> 78e-53bf-4ddd-88f6-5d12c6d18c90
>
> Microsoft Windows XP Professional x64 Edition:
>
> 356-7772-41b6-b4a6-7215c89f7347
>
> Microsoft Windows Server 2003 (with or without SP1):
>
> 9f9-4481-44f9-9aef-1af0afae8319
>
> Microsoft Windows Server 2003 for Itanium-based Systems (with or
> without SP1):
>
> 2a6-bd61-4fd4-9aa4-012d745046da
>
> Microsoft Windows Server 2003 x64 Edition:
>
> f72-8467-4964-ad28-ed9ea7562e0b
>
> PROVIDED AND/OR DISCOVERED BY:
> Andreas Sandblad, Secunia Research.
>
> ORIGINAL ADVISORY:
> MS06-065 (KB924496):
>
>
