Microsoft Windows User32.dll ListBox and ComboBox controls buffer overflow

win-user32-control-bo (13424)

High Risk

Description:

Microsoft Windows is vulnerable to a buffer overflow in a function in the User32.dll file, caused by improper validation of Windows messages. This vulnerable function is called by both the ListBox and ComboBox controls. By running a program that sends a specially-crafted Windows message to an application that uses the ListBox or ComboBox control, a local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.

Platforms Affected:

• Microsoft, Windows 2000 SP4
• Microsoft, Windows 2003 Server
• Microsoft, Windows NT 4.0 Workstation
• Microsoft, Windows NT 4.0 Terminal Server
• Microsoft, Windows NT 4.0
• Microsoft, Windows NT 4.0 Server
• Microsoft, Windows XP

Remedy:

For Windows XP:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002, which was then superseded by the patch released with MS05-18.

For Windows XP SP1:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-053. See References.

Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002, which was then superseded by the patch released with MS05-053.

For Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it has been superseded by the patch released with MS04-031. Microsoft is reporting that the patch released with MS03-045 has also been superseded by the patch released with MS04-032. The patches released with MS03-045 and MS05-002 have been superseded by the patch released with MS05-018. See References.

For Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-002. See References.

Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002.

For Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS03-045, but it was superseded by the patch released with MS05-002, and then superseded by the patch released with MS05-018. Microsoft is also reporting that MS05-002 has been superseded by the patch released with MS07-017. See References.

Consequences:

Gain Privileges

References:

• BugTraq Mailing List, Wed Oct 15 2003 - 19:47:06 CDT, Listbox And Combobox Control Buffer Overflow at http://archives.neohapsis.com/archives/bugtraq/2003-10/0175.html.
• CERT Advisory CA-2003-27, Multiple Vulnerabilities in Microsoft Windows and Exchange at http://www.cert.org/advisories/CA-2003-27.html.
• CIAC Information Bulletin O-009, Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities at http://www.ciac.org/ciac/bulletins/o-009.shtml.
• Microsoft Security Bulletin MS03-045, Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) at http://www.microsoft.com/technet/security/bulletin/ms03-045.mspx.
• Microsoft Security Bulletin MS04-031, Vulnerability in NetDDE Could Allow Remote Code Execution (841533) at http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx.
• Microsoft Security Bulletin MS04-032, Security Update for Microsoft Windows (840987) at http://www.microsoft.com/technet/security/bulletin/ms04-032.mspx.
• Microsoft Security Bulletin MS05-002, Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711) at http://www.microsoft.com/technet/Security/bulletin/ms05-002.mspx.
• Microsoft Security Bulletin MS05-018, Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service (890859) at http://www.microsoft.com/technet/security/bulletin/MS05-018.mspx.
• Microsoft Security Bulletin MS05-053, Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) at http://www.microsoft.com/technet/Security/bulletin/ms05-053.mspx.
• Microsoft Security Bulletin MS07-017, Vulnerabilities in GDI Could Allow Remote Code Execution (925902) at http://www.microsoft.com/technet/security/Bulletin/MS07-017.mspx.
• SecuriTeam Mailing List, Security Holes & Exploits 16 Nov 2003, ListBox and ComboBox Control Buffer Overflow (Exploit) at http://www.securiteam.com/exploits/6W00E1P8VA.html.
• SecuriTeam Mailing List, Windows NT focus 19 Oct 2003, ListBox and ComboBox Control Buffer Overflow (Technical Details) at http://www.securiteam.com/windowsntfocus/6L00I2K8KY.html.
• BID-8827: Microsoft ListBox/ComboBox Control User32.dll Function Buffer Overrun Vulnerability
• CVE-2003-0659: Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application.
• US-CERT VU#967668: Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message

Reported:

Oct 15, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page