ID

VAR-200709-0151

CVE

CVE-2007-4916

TITLE

Microsoft MFC FindFile function heap buffer overflow

DESCRIPTION

Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in Microsoft Foundation Class (MFC) Library 8.0, as used by the ListFiles method in hpqutil.dll 2.0.0.138 in Hewlett-Packard (HP) All-in-One and Photo & Imaging Gallery 1.1 and probably other products, allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long first argument. Microsoft Foundation Class (MFC) Included in library FindFile() The function contains a heap buffer overflow vulnerability. As a result, arbitrary code may be executed or service operation may be interrupted (DoS) There is a possibility of being attacked. Microsoft Foundation Class (MFC) The library Visual C++ Class library for MFC Is Microsoft Visual Studio And Microsoft Windows And may be used in many other applications. this MFC Included in the library FindFile() The function provides the ability to search for files from the entire file system. MFC42 Library and MFC70 Library FindFile() The function does not handle arguments properly, so heap buffer overflow vulnerability is included, resulting in arbitrary code execution and service disruption (DoS) There is a possibility of being attacked. <JPCERT/CC Supplemental information from > From Microsoft MFC 71 The library is not affected, MFC 70 It was confirmed that the library was affected. JVN So, with regard to the affected system, MFC 71 I mentioned it as a library. MFC 70 I corrected it to the library.Expected impact is affected MFC It depends on how the application using the library is working. Arbitrary code is executed or service operation is interrupted via the network or locally (DoS) There is a possibility of being attacked. This issue also occurs in the 'hpqutil.dll' ActiveX control identified by CLSID: F3F381A3-4795-41FF-8190-7AA2A8102F85. HP All-in-One Series Web Release and HP Photo and Imaging Gallery are prone to a heap-based buffer-overflow vulnerability because the applications fail to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. Microsoft Windows is a series of operating systems released by Microsoft Corporation. Local attackers may use this vulnerability to elevate their own privileges. MFC[42|71].dll@CFileFind::FindFile(char const *,unsigned long) .text:73D6CD3F mov edi, edi .text:73D6CD41 push ebp .text:73D6CD42 push esi ; unsigned int .text:73D6CD43 push edi ; unsigned __int8 * .text:73D6CD44 mov esi, ecx .text:73D6CD46 call CFileFind::Close(void) .text:73D6CD4B push 140h ; int << 320 bytes .text:73D6CD50 call @operator new(uint) << buffer Allocate [1].text:73D6CD55 mov ebp, [esp+14h].text:73D6CD59 and dword ptr [esi+10h], 0 .text:73D6CD5D test ebp, ebp .text:73D6CD5F pop ecx .text:73D6CD60 mov [ esi+8], eax .text:73D6CD63 jnz short loc_73D6CD6A .text:73D6CD65 mov ebp, offset a__1 ; "*.*" << si arg_0 == NULL .text:73D6CD6A loc_73D6CD6A; CODE XREF: CFileFind::. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Microsoft Windows CFileFind Class "FindFile()" Buffer Overflow SECUNIA ADVISORY ID: SA26800 VERIFY ADVISORY: http://secunia.com/advisories/26800/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/product/22/ DESCRIPTION: Jonathan Sarba has discovered a vulnerability in Microsoft Windows, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the "FindFile()" function of the CFileFind class in mfc42.dll and mfc42u.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long argument to the affected function. SOLUTION: Restrict access to applications allowing user-controlled input to be passed to the vulnerable function. Applications using the vulnerable library should check the length of the user input before passing it to the affected function. PROVIDED AND/OR DISCOVERED BY: Jonathan Sarba, GoodFellas Security Research Team. ORIGINAL ADVISORY: http://goodfellas.shellcode.com.ar/own/VULWKU200706142 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Boundary Condition Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Jonathan Sarba※ sarbaj@shellcode.com.ar

SOURCES

LAST UPDATE DATE

2025-04-10T23:01:05.350000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE