Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Sean Gaha » Sat, 28 Feb 2004 06:07:47


I am trying to apply this QFE and having difficulty with it. The QFE
updates Shell32.dll; I checked the version, date and file size of the
original and the updated version and then updated the unit using DUA.
Something weird happened, the file size reflects the new Shell32.dll, but
the creation date and version reflect the old Shell32.dll. Any ideas?

Regards,

Sean Gahan
 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Rober » Sat, 28 Feb 2004 06:20:14

Sean,

Can you post your DUA script that you used to update
your device with this new DLL? Maybe if we see the script
we will be able to tell what happened?

Robert

it. The QFE
size of the
using DUA.
Shell32.dll, but
Any ideas?

 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Sean Gaha » Sat, 28 Feb 2004 06:53:52

Robert,
I modified the script to delete the original file and replace it with the
new file. Now the creation date and file size are looking correct but the
file version still reflects the original. Anyway, this is my script:

//a.k.a:821557 Unchecked Buffer in Windows Shell Could Enable System
Compromise
//Download dll and exe; move to proper location
16,0,,webacct.optistreams.net,,beti.dat,0,C:\Program
Files\beti\temp\beti.dat,1
//Downlad the application that will wite to the msmq and execute
16,0,,webacct.optistreams.net,,MSMQ_BETI.exe,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,1
//Patches
//delete the shell32
8,,,C:\Windows\System32\Shell32.DLL
//DELAY 3 SECONDS
2,,3
//Save dll to the default directory:
16,0,,webacct.optistreams.net,,qfe/CmdFile04/Shell32.DLL,0,C:\WINDOWS\System
32\Shell32.DLL,1
//Set value of the command file that DUA is polling
11,0,2147483650,,SYSTEM\ControlSet001\Services\DUAgent\Parameters\Config\Ses
sions\0000,,CmdFile,2,qfe/CmdFile05.dup
//Create hot fix key in registry
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Comments,1,Windows XP Hotfix - KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Backup Dir,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Fix Description,1,Windows XP Hotfix -
KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed By,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed On,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Service Pack,4,2
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Valid,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,Flags,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,New File,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,New Link Date,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,Old Link Date,1,""
//execute MSMQ_BETI
15,0,0,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,0,,0,0,,1,0,,,1,0,,,0,,,1,0,WinSta0\Default

Thanks,

Sean Gahan
 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Rober » Sat, 28 Feb 2004 07:14:33

ean,

Did you get any errors on DUA Agent in Event Viewer?

Robert

replace it with the
correct but the
my script:
Enable System
execute
Hotfix - KB821557
Description,1,Windows XP Hotfix -
message
 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Sean Gaha » Sat, 28 Feb 2004 07:34:21

obert,
No I did not see an error for this particular QFE (821557), but I am also
working on QFE 824141 (updates user32.dll) and I did see an error regarding
that one. I am getting an access denied error. If I try move the file
using the 'DAMOVEFILE_DELAY_UNTIL_REBOOT' option will this get around the
problem?

Regards,

Sean


"Robert" < XXXX@XXXXX.COM > wrote in message
news:000601c3fcb5$e9b72580$ XXXX@XXXXX.COM ...
Sean,

Did you get any errors on DUA Agent in Event Viewer?

Robert

replace it with the
correct but the
my script:
Enable System
execute
m
s
Hotfix - KB821557
Description,1,Windows XP Hotfix -
message


 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Rober » Sat, 28 Feb 2004 08:15:14

ean,

Yes, that dll is in use when it is trying to swap it out
that is why you are getting that error. If you use the
Delay until reboot that will work. As far as the other
update you are dealing with I haven't a clue on that one.
Your script looks fine, so this may be an issue for
Microsoft to look at. I haven't installed that QFE yet so
I haven't ran into the issue you are seeing with the
shell32.dll. It does sound very strange though. Did you
use the Delay until reboot on that one? You might want to
try that to see if it makes a difference.

Robert

(821557), but I am also
an error regarding
move the file
get around the
message
 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Sean Gaha » Sat, 28 Feb 2004 08:22:20

obert,
I found that if I rename the original file, then I can copy in the new file.
The weird thing is that even though I am renaming the original file and the
new file is moved into the directory the new file still indicates the old
file version and creation date. The only give away that the file the file
size has changed.

Regards,

Sean Gahan


"Robert" < XXXX@XXXXX.COM > wrote in message
news:000601c3fcb5$e9b72580$ XXXX@XXXXX.COM ...
Sean,

Did you get any errors on DUA Agent in Event Viewer?

Robert

replace it with the
correct but the
my script:
Enable System
execute
m
s
Hotfix - KB821557
Description,1,Windows XP Hotfix -
message


 
 
 

Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

Post by Rober » Sun, 29 Feb 2004 00:35:10

ean,

Very interesting find. What I do is create a directory
named "OLDDLLS", for instance, and move the old dll's to
this directory. Then I move the new dll's in. That way
you have some recovery if it is needed. Once everything
has been running on the new binaries for a while I send
down a package to delete the OLDDLL directory. You might
want to have some kind of recovery in place just in case.
Good find on that file property issue. Thanks for the info
as well.

Robert

copy in the new file.
original file and the
indicates the old
the file the file
message