• Article

Security Bulletin

Microsoft Security Bulletin MS02-054 - Important

Unchecked Buffer in File Decompression Functions Could Lead to Code Execution (Q329048)

Published: October 02, 2002 | Updated: February 28, 2003

Version: 1.3

Originally posted: October 02, 2002

Updated: February 28th, 2003

Summary

Who should read this bulletin:  Customers using Microsoft® Windows® 98 with Plus! Pack, Windows Me, or Windows XP

Impact of vulnerability:  Two vulnerabilities, the most serious of which could run code of attacker's choice

Maximum Severity Rating:  Moderate

Recommendation:  Consider applying the patch to affected systems

Affected Software:

  • Microsoft Windows 98 with Plus! Pack
  • Microsoft Windows Me
  • Microsoft Windows XP

General Information

Technical details

Technical description:

Zipped files (files having a .zipextension) provide a means to store information in a way that uses less space on a hard disk. This is accomplished by compressing the files that are put into in the zipped file. On Windows 98 with Plus! Pack, Windows Me and Windows XP, the Compressed Folders feature allows zipped files to be treated as folders. The Compressed Folders feature can be used to create, add files to, and extract files from zipped files.

Two vulnerabilities exist in the Compressed Folders function:

  • An unchecked buffer exists in the programs that handles the decompressing of files from a zipped file. A security vulnerability results because attempts to open a file with a specially malformed filename contained in a zipped file could possibly result in Windows Explorer failing, or in code of the attacker's choice being run.
  • The decompression function could place a file in a directory that was not the same as, or a child of, the target directory specified by the user as where the decompressed zip files should be placed. This could allow an attacker to put a file in a known location on the users system, such as placing a program in a startup directory

Mitigating factors:

  • The vulnerabilities could not be exploited without user intervention. The attacker would need to entice the user to receive, store, and open the zipped file provided by the attacker.
  • The vulnerabilities could not be exploited remotely. An attacker would need to lure a user into receiving the zipped file onto the user's machine. Best practices suggest users not accept e-mail attachments from people who are not trusted, and not to download files from untrusted Internet sites.
  • On Windows 98 and Windows Me, the Compressed Folders feature is not installed by default. Users who had not installed this feature would not be vulnerable.

Severity Rating:

Unchecked Buffer in Zipped File Handling

Internet Servers Intranet Servers Client Systems
Microsoft Windows 98 with PLUS! Pack Low Low Moderate
Microsoft Windows Me Low Low Moderate
Microsoft Windows XP Low Low Moderate

Incorrect Target Path for Zipped File Decompression

Internet Servers Intranet Servers Client Systems
Microsoft Windows 98 with PLUS! Pack Low Low Moderate
Microsoft Windows Me Low Low Moderate
Microsoft Windows XP Low Low Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. For this vulnerability to be exploited, a user would have to receive a zipped file from an attacker, store it locally, and attempt to decompress the zipped file.

Vulnerability identifiers:

Tested Versions:

Microsoft tested Microsoft Windows XP, Windows ME, and Windows 98 with Plus! Pack to assess whether they are affected by this vulnerability. Microsoft Windows NT 4.0 and Windows 2000 do not have the affected feature. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What vulnerabilities are addressed by this patch?
This patch addresses two vulnerabilities:

  • A vulnerability that could enable an attacker to run code on a user's system in the context of the user
  • A vulnerability that could allow an attacker to place files in the location of their choosing on a user's system

What is the Compressed Folders feature?
The Compressed Folders feature enables users to store data files and folders in a compressed (or zipped) format, thereby requiring less space to store them. The feature allows users to create, add files to, and extract files from zipped files. The Compressed Folders feature is available on

  • Windows 98 with the Plus! Pack (not installed by default)
  • Windows Me (not installed by default)
  • Windows XP

On Windows XP, zipped folders are referred to as Compressed (Zipped) Folders.

What is the Plus! Pack for Windows 98?
The Plus! Pack for Windows 98 contains a collection of features including Compressed Folders, Virus Scanning, Desktop Themes, a File Cleaner, a Start Menu Cleaner, and assorted games.

Why are these folders called "Compressed (Zipped) Folders" on Windows XP?
Windows supports two types of compression:

  • Compression by using the Compressed (Zipped) Folders feature which creates a file with the extension of .zip. This is the feature that contains the vulnerability.
  • NTFS compression, which compresses files using a different compression algorithm. This feature is not affected by the vulnerability.

Unchecked Buffer in Zipped File Handling (CAN-2002-0370)

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If an attack is successful, either the Windows Explorer might fail, or if the data were particularly crafted, an attacker's program might be run on the system. If the attacker's program were to run, it would execute with the privileges of the user. The vulnerability could only be exploited if the user had taken specific actions, namely, attempting to open a file with a specially malformed filename from a zipped archive using the Compressed Folders feature. The attacker would have to convince the user to receive the file from the attacker, store the file on the user's computer, and then uncompress the zipped file.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer a part of the Compressed Folders feature that handles the decompressing of zipped files. The decompressing function does not properly handle very long filenames inside of a zipped file.

What could an attacker use this vulnerability to do?
If the user attempts to open or decompress a file having a specially malformed filename from the zipped archive using the Compressed Folders feature, it could cause the Explorer process to fail, or if the data used in the specially malformed filename were carefully selected, could run a program on the user's computer with the privileges of the user.

How might an attacker exploit this vulnerability?
For an attack to be successful, the attacker would first need to lure the user into receiving the zip file containing the file with the specially malformed filename and then the user would have to attempt to open or uncompress that file. The attacker would likely attempt to lure the user into receiving the zip file by one of the following methods:

  • The attacker could have a web site with the zip file available for download
  • The attacker could send an e-mail with the zip file as an attachment

Is this vulnerability remotely exploitable?
No. The Compressed Folders feature is presented via Windows Explorer and My Computer and the user must perform an action on their local computer. An attacker would need to lure a user into receiving the zipped file onto the user's machine. There is no way for the attacker to place the zipped file on the user's machine without the user taking an action. The attacker could host a malformed zip file on a web site, but the user would need to download and attempt to decompress the file. Best practices suggest users not accept e-mail attachments or downloads from people who are not trusted, and this underscores why users should not download files from untrusted Internet sites.

I've downloaded a zipped file. Can I use Explorer to see if there are files with malformed filenames in it?
The Compressed Folders feature can be used with Windows Explorer and My Computer, so the filenames of the files inside of a zipped file appear in the same way that folders are normally be viewed. However, if the file name is too long to be displayed, then Explorer displays only the file's icon. It may not be possible for the user to see that the filename is malformed simply by browsing the zip file. If you are unable to see a filename for a file in the zipped file, the file might not be safe to unzip.

What does the patch do?
The patch addresses the vulnerability by implementing proper checking in the affected function in the Compressed Folders feature.

Incorrect Target Path for Zipped File Decompression (CAN-2002-1139)

What's the scope of the vulnerability?
This vulnerability could allow an attacker to place a file in a location of their choosing on the user's system. This could allow an attacker to place a program in the startup folder, for example. Like the first vulnerability, the vulnerability could only be exploited if the user had taken specific actions, namely, attempting to open a file with a specially malformed filename from a zipped archive using the Compressed Folders feature. The attacker would have to convince the user to receive the file from the attacker, store the file on the user's computer, and then uncompress the zipped file. The attacker would need to know the specific file path to be used as the target for the decompressed file, as the vulnerability gives no way to discover directory structures.

What causes the vulnerability?
The vulnerability results because the target folder for compressed files being unzipped are not checked. Files that are being decompressed from a zip file should only be placed in or below a target folder.

What is a target folder?
A target folder is the destination where a file should be placed when being decompressed from a zipped file. A zipped file can contain a directory structure, so decompressing the zipped file could create subdirectories and place files in those subdirectories as well.

What's wrong with the way file names are handled when decompressing a compressed file?
The routine that decompresses the zipped file does not check the target folder to verify that it is the same as, or a child of, the directory specified by the user.

What could an attacker use this vulnerability to do?
A user might receive a zipped file from an attacker that includes a file with a specially crafted filename. If the user decompresses the zipped file, it could be possible to place the file in a known location on the user's system. For example, an attacker might be able to place an executable file in a startup directory.

How might an attacker exploit this vulnerability?
For an attack to be successful, the attacker would first need to lure the user into receiving the zip file containing the file with the specially crafted filename and then the user would have to uncompress that file. The attacker would likely attempt to lure the user into receiving the zip file by one of the following methods:

  • The attacker could have a web site with the zip file available for download
  • The attacker could send an e-mail with the zip file as an attachment When the zipped file is decompressed, a file could be placed on the computer in a folder specified by the attacker. For example, this might allow the attacker to place a file in a startup folder, which could allow a file to be executed during the startup process.

Is this vulnerability remotely exploitable?
No, just as with the first vulnerability described above, an attacker would need to lure a user into receiving the zipped file onto the user's machine.

What does the patch do?
The patch addresses the vulnerability by implementing proper target path checking in the Compressed Folders feature.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

  • This patch can be installed on systems running Windows 98 or Windows 98 Second Edition.
  • This patch can be installed on systems running Windows Millennium Edition.
  • This patch can be installed on systems running Windows XP Gold and Windows XP Service Pack 1.

Inclusion in future service packs:

  • The fix for these issues will be included in Windows XP Service Pack 2.
  • The fix for Unchecked Buffer in Zipped File Handling is also included in Windows XP Service Pack 1.

Reboot needed:

  • Windows 98: Yes
  • Windows Me: Yes
  • Windows XP: Yes

Patch can be uninstalled:

  • Windows 98: No
  • Windows Me: No
  • Windows XP: Yes

Superseded patches: None.

Verifying patch installation:

  • Windows 98 with Plus! Pack:

    To verify that the patch has been installed, perform the following steps:

    • Execute the QFECHECK program using Start - Run
    • Expand the W98 tree (click on the + next to W98)
    • Look for the string "Q329048" (without the quotes)

  • Windows Me:

    To verify that the patch has been installed, perform the following steps:

    • Execute the QFECHECK program using Start - Run
    • Expand WINME tree (click on the + next to WinME)
    • Look for the string "Q329048" (without the quotes)

  • Windows XP:

    To verify that the patch has been installed, confirm that the following registry key has been created on the machine:

    Windows XP Gold -

    HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329048

    Windows XP Service Pack 1 -

    HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329048

    To verify the individual files, use the date/time and version information provided in the following registry key:

    Windows XP Gold -

    HKLM\Software\Microsoft\Updates\Windows XP\SP1\Q329048\Filelist

    Windows XP Service Pack 1 -

    HKLM\Software\Microsoft\Updates\Windows XP\SP2\Q329048\Filelist

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks the following people for working with us to protect customers:

  • Joe Testa of Rapid7, Inc. (https://www.rapid7.com/) for reporting the Unchecked Buffer in Zipped File Handling vulnerability.
  • zen-parse for reporting the Incorrect Target Path for Zipped File Decompression vulnerability.

Support:

  • Microsoft Knowledge Base article Q329048 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (October 02, 2002): Bulletin Created.
  • V1.1 (October 07, 2002): Updated information on verifying patch installation for Windows XP.
  • V1.2 (October 09, 2002): Updated to correct uninstall information for Windows 98 and Windows ME.
  • V1.3 (February 28, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00 </https:>