Thread-topic: [SA26800] Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
>
> TITLE:
> Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
>
> SECUNIA ADVISORY ID:
> SA26800
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/26800/
>
> CRITICAL:
> Moderately critical
>
> IMPACT:
> System access
>
> WHERE:
> From remote
>
> OPERATING SYSTEM:
> Microsoft Windows XP Professional
> http://secunia.com/product/22/
>
> DESCRIPTION:
> Jonathan Sarba has discovered a vulnerability in Microsoft Windows,
> which potentially can be exploited by malicious people to compromise
> a vulnerable system.
>
> The vulnerability is caused due to a boundary error in the
> "FindFile()" function of the CFileFind class in mfc42.dll and
> mfc42u.dll. This can be exploited to cause a heap-based buffer
> overflow by passing an overly long argument to the affected
> function.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability is confirmed on a fully-patched Windows XP SP2
> including mfc42.dll version 6.2.4131.0 and mfc42u.dll version
> 6.2.8071.0.
>
> The following products are currently known to have vectors allowing
> exploitation:
> * HP All-in-One Series Web Release software/driver installer version
> 2.1.0
> * HP Photo & Imaging Gallery version 1.1
>
> Other versions and applications using the vulnerable library may also
> be affected.
>
> SOLUTION:
> Restrict access to applications allowing user-controlled input to be
> passed to the vulnerable function.
>
> Applications using the vulnerable library should check the length of
> the user input before passing it to the affected function.
>
> PROVIDED AND/OR DISCOVERED BY:
> Jonathan Sarba, GoodFellas Security Research Team.
>
> ORIGINAL ADVISORY:
> http://goodfellas.shellcode.com.ar/own/VULWKU200706142
>