HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-129
Microsoft Windows Event System Array Index Verification & ‘User Subscription Request’ Vulnerabilities

Original Issue Date: August 14, 2008

Severity Rating: Medium

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista and Windows Vista Service Pack 1
  • Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
  • Windows Server 2008 for 32-bit Systems installed using the Server Core installation option
  • Windows Server 2008 for x64-based Systems installed using the Server Core installation option
  • Windows Server 2008 for Itanium-based Systems

Overview

Multiple remote code execution vulnerabilities have been reported in Microsoft Windows Event System, which could allow remote attackers to take complete control of an affected system with full administrative rights.

Description

Microsoft Windows Event System is a service that manages method calls and event subscriptions between Windows and applications on the system.

1. Array Index Verification remote code execution     vulnerability (CVE-2008-1456)

A remote code execution vulnerability exists in Microsoft Windows Event System as it does not correctly validate the range of indexes when calling an array of function pointers. A remote authenticated attacker in the domain can exploit this vulnerability by sending a crafted event subscription request that is used to access an array of function pointers. Successful exploitation of this vulnerability could allow the attacker to take complete control of an affected system with SYSTEM privileges.

2. ‘User Subscriptions Request' validation remote code      execution vulnerability (CVE-2008-1457)

Another remote code execution vulnerability also exists in Microsoft Windows Event System as it does not properly validate user subscriptions requests when created. A remote authenticated attacker in the domain can exploit this vulnerability by sending a crafted event subscription request, which then allows the attacker to take complete control of an affected system with SYSTEM privileges.

Workarounds

  • Unregister %WINDIR%\SYSTEM32\es.dll to stop the Event System
  • Stop and disable the System Event Notification and COM+ Event System services
  • Modify the Access Control List on %WINDIR%\SYSTEM32\es.dll to deny the "everyone" group access to the file

For detailed steps and impact of the workarounds please refer to Microsoft Security Bulletin MS08-049

Solution

 Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-049

Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-049.mspx

References

 Secunia
http://secunia.com/advisories/31417/

SecurityTracker
http://securitytracker.com/alerts/2008/Aug/1020677.html

FrSIRT
http://www.frsirt.com/english/advisories/2008/2353

SecurityFocus
http://www.securityfocus.com/bid/30584
http://www.securityfocus.com/bid/30586

CVE Name
CVE-2008-1456
CVE-2008-1457

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003