ADVISORIES | July 1, 2012

Windows Kernel Library Filename Parsing Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Windows. User interaction is required to exploit this vulnerability in that the target must open or browse to a file or subfolder with a specially crafted name on a network SMB share, UNC share, or WebDAV web folder.

The vulnerability exists in a critical operating system DLL. An attacker can exploit this by leveraging a user land application to browse the file system with the Windows API; for example, when opening a folder with File -> Open.

Routines within the KERNEL32.DLL dynamic link library do not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption, which an attacker can use to run arbitrary code in the context of the current user.

IOActive has developed a proof-of-concept Unicode exploit that overwrites the saved return address with arbitrary data sent by a modified SMB server.

Launch PDF