Microsoft System Information (Msinfo32.exe) msinfo_file buffer overflow
| msinfo-msinfofile-bo (17153) |  High Risk |
Description:
Microsoft System Information (Msinfo32.exe) is vulnerable to a buffer overflow, caused by improper bounds checking of user-supplied input. A local attacker could supply more than 258 characters to the msinfo_file command line option to overflow a buffer and cause the process to crash or possibly execute arbitrary code on the system.
Platforms Affected:
- Microsoft, Windows 2000
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Gain Access
References:
- Full-Disclosure Mailing List, Mon Aug 30 2004 - 18:45:15 CDT, RE: [Full-Disclosure] MSInfo Buffer Overflow at http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1261.html.
- Full-Disclosure Mailing List, Mon Aug 30 2004 - 22:16:33 CDT , MSInfo Buffer Overflow at http://archives.neohapsis.com/archives/fulldisclosure/2004-08/1252.html.
- CVE-2004-1649: Buffer overflow in Microsoft Msinfo32.exe might allow local users to execute arbitrary code via a long filename in the msinfo_file command line parameter. NOTE: this issue might not cross security boundaries, so it may be REJECTED in the future.
Reported:
Aug 30, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net