Thread-topic: [SA26800] Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
> Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow
> SECUNIA ADVISORY ID:
> VERIFY ADVISORY:
> Moderately critical
> System access
> From remote
> OPERATING SYSTEM:
> Microsoft Windows XP Professional
> Jonathan Sarba has discovered a vulnerability in Microsoft Windows,
> which potentially can be exploited by malicious people to compromise
> a vulnerable system.
> The vulnerability is caused due to a boundary error in the
> "FindFile()" function of the CFileFind class in mfc42.dll and
> mfc42u.dll. This can be exploited to cause a heap-based buffer
> overflow by passing an overly long argument to the affected
> Successful exploitation may allow execution of arbitrary code.
> The vulnerability is confirmed on a fully-patched Windows XP SP2
> including mfc42.dll version 6.2.4131.0 and mfc42u.dll version
> The following products are currently known to have vectors allowing
> * HP All-in-One Series Web Release software/driver installer version
> * HP Photo & Imaging Gallery version 1.1
> Other versions and applications using the vulnerable library may also
> be affected.
> Restrict access to applications allowing user-controlled input to be
> passed to the vulnerable function.
> Applications using the vulnerable library should check the length of
> the user input before passing it to the affected function.
> PROVIDED AND/OR DISCOVERED BY:
> Jonathan Sarba, GoodFellas Security Research Team.
> ORIGINAL ADVISORY: