------------------------------------------------------------ - EXPL-A-2006-002 exploitlabs.com Advisory 048 - ------------------------------------------------------------ - MSVC 6.0 run file bug - AFFECTED PRODUCTS ================= Microsoft Visual Studio 6.0 http://microsoft.com Possibly other products referenced in: http://support.microsoft.com/kb/841189 OVERVIEW ======== Source code project distributions are very popular these days. Generally authors offer code as a project with source, headers, and msvc project files if it is a fairly big project. Most users will simply open up the project.dsw file, ( especially if it says to do so in a readme.txt or other compiler instructions ) which in turn loads the project.dsp files, which provides the compiler directives. A malicious attacker could embed commands to be executed in the project files, and execute any local code of his choosing. note: this is an implemented feature in MSVC, and should be considered a bug, not a vulnerability. IMPACT ====== The impact of this is quite severe, as it is possible to script commands such as to launch ftp, retrieve and execute a file from a remote location. DETAILS ======= By modifying the .dsp files: project settings custom build Commands: command to execute Post-build Step: command to execute 1.a ==== InputPath=.\Release\hello.exe SOURCE="$(InputPath)" "hello.exe" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)" calc 1.b ==== PostBuild_Cmds=notepad.exe POC ==== http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip extract, and open hello.dsw click "batch build, build" or "rebuild all" code will execute ( calc.exe and notepad.exe used as an example ) calc.exe = Custom-Build notepad.exe = PostBuild Commands SOLUTION ======== vendor contact: secure@microsoft.com Sept 20, 2005 KB updated Jan 6, 2006 http://support.microsoft.com/kb/841189 SUGGESTED PATCH =============== Include a dialog box that warns the user, before pre and post build directives can be launched, if the presence of execute directives exist in the build project files. CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org http://exploitlabs.com/files/advisories/EXPL-A-2006-002-msvc-featurebug.txt http://exploitlabs.com/files/advisories/msvc-featurebug-POC.zip