Unchecked Buffer in Windows Shell Could Enable System Compromise (821557)

S

Sean Gahan

I am trying to apply this QFE and having difficulty with it. The QFE
updates Shell32.dll; I checked the version, date and file size of the
original and the updated version and then updated the unit using DUA.
Something weird happened, the file size reflects the new Shell32.dll, but
the creation date and version reflect the old Shell32.dll. Any ideas?

Regards,

Sean Gahan
 
R

Robert

Sean,

Can you post your DUA script that you used to update
your device with this new DLL? Maybe if we see the script
we will be able to tell what happened?

Robert
 
S

Sean Gahan

Robert,
I modified the script to delete the original file and replace it with the
new file. Now the creation date and file size are looking correct but the
file version still reflects the original. Anyway, this is my script:

//a.k.a:821557 Unchecked Buffer in Windows Shell Could Enable System
Compromise
//Download dll and exe; move to proper location
16,0,,webacct.optistreams.net,,beti.dat,0,C:\Program
Files\beti\temp\beti.dat,1
//Downlad the application that will wite to the msmq and execute
16,0,,webacct.optistreams.net,,MSMQ_BETI.exe,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,1
//Patches
//delete the shell32
8,,,C:\Windows\System32\Shell32.DLL
//DELAY 3 SECONDS
2,,3
//Save dll to the default directory:
16,0,,webacct.optistreams.net,,qfe/CmdFile04/Shell32.DLL,0,C:\WINDOWS\System
32\Shell32.DLL,1
//Set value of the command file that DUA is polling
11,0,2147483650,,SYSTEM\ControlSet001\Services\DUAgent\Parameters\Config\Ses
sions\0000,,CmdFile,2,qfe/CmdFile05.dup
//Create hot fix key in registry
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Comments,1,Windows XP Hotfix - KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Backup Dir,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Fix Description,1,Windows XP Hotfix -
KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed By,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed On,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Service Pack,4,2
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Valid,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,Flags,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,New File,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,New Link Date,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557\File 1,,Old Link Date,1,""
//execute MSMQ_BETI
15,0,0,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,0,,0,0,,1,0,,,1,0,,,0,,,1,0,WinSta0\Default

Thanks,

Sean Gahan
 
R

Robert

Sean,

Did you get any errors on DUA Agent in Event Viewer?

Robert
-----Original Message-----
Robert,
I modified the script to delete the original file and replace it with the
new file. Now the creation date and file size are looking correct but the
file version still reflects the original. Anyway, this is my script:

//a.k.a:821557 Unchecked Buffer in Windows Shell Could Enable System
Compromise
//Download dll and exe; move to proper location
16,0,,webacct.optistreams.net,,beti.dat,0,C:\Program
Files\beti\temp\beti.dat,1
//Downlad the application that will wite to the msmq and execute
16,0,,webacct.optistreams.net,,MSMQ_BETI.exe,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,1
//Patches
//delete the shell32
8,,,C:\Windows\System32\Shell32.DLL
//DELAY 3 SECONDS
2,,3
//Save dll to the default directory:
16,0,,webacct.optistreams.net,,qfe/CmdFile04/Shell32.DLL,0,C:\WINDOWS\System
32\Shell32.DLL,1
//Set value of the command file that DUA is polling
11,0,2147483650,,SYSTEM\ControlSet001\Services\DUAgent\Parameters\Config\Ses
sions\0000,,CmdFile,2,qfe/CmdFile05.dup
//Create hot fix key in registry
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Comments,1,Windows XP Hotfix - KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Backup Dir,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Fix
Click to expand...
Description,1,Windows XP Hotfix -
 
S

Sean Gahan

Robert,
No I did not see an error for this particular QFE (821557), but I am also
working on QFE 824141 (updates user32.dll) and I did see an error regarding
that one. I am getting an access denied error. If I try move the file
using the 'DAMOVEFILE_DELAY_UNTIL_REBOOT' option will this get around the
problem?

Regards,

Sean


Sean,

Did you get any errors on DUA Agent in Event Viewer?

Robert
-----Original Message-----
Robert,
I modified the script to delete the original file and replace it with the
new file. Now the creation date and file size are looking correct but the
file version still reflects the original. Anyway, this is my script:

//a.k.a:821557 Unchecked Buffer in Windows Shell Could Enable System
Compromise
//Download dll and exe; move to proper location
16,0,,webacct.optistreams.net,,beti.dat,0,C:\Program
Files\beti\temp\beti.dat,1
//Downlad the application that will wite to the msmq and execute
16,0,,webacct.optistreams.net,,MSMQ_BETI.exe,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,1
//Patches
//delete the shell32
8,,,C:\Windows\System32\Shell32.DLL
//DELAY 3 SECONDS
2,,3
//Save dll to the default directory:
16,0,,webacct.optistreams.net,,qfe/CmdFile04/Shell32.DLL,0,C:\WINDOWS\Syste m
32\Shell32.DLL,1
//Set value of the command file that DUA is polling
11,0,2147483650,,SYSTEM\ControlSet001\Services\DUAgent\Parameters\Config\Se s
sions\0000,,CmdFile,2,qfe/CmdFile05.dup
//Create hot fix key in registry
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Comments,1,Windows XP Hotfix - KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Backup Dir,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Fix
Click to expand...
Description,1,Windows XP Hotfix -
 
R

Robert

Sean,

Yes, that dll is in use when it is trying to swap it out
that is why you are getting that error. If you use the
Delay until reboot that will work. As far as the other
update you are dealing with I haven't a clue on that one.
Your script looks fine, so this may be an issue for
Microsoft to look at. I haven't installed that QFE yet so
I haven't ran into the issue you are seeing with the
shell32.dll. It does sound very strange though. Did you
use the Delay until reboot on that one? You might want to
try that to see if it makes a difference.

Robert
 
S

Sean Gahan

Robert,
I found that if I rename the original file, then I can copy in the new file.
The weird thing is that even though I am renaming the original file and the
new file is moved into the directory the new file still indicates the old
file version and creation date. The only give away that the file the file
size has changed.

Regards,

Sean Gahan


Sean,

Did you get any errors on DUA Agent in Event Viewer?

Robert
-----Original Message-----
Robert,
I modified the script to delete the original file and replace it with the
new file. Now the creation date and file size are looking correct but the
file version still reflects the original. Anyway, this is my script:

//a.k.a:821557 Unchecked Buffer in Windows Shell Could Enable System
Compromise
//Download dll and exe; move to proper location
16,0,,webacct.optistreams.net,,beti.dat,0,C:\Program
Files\beti\temp\beti.dat,1
//Downlad the application that will wite to the msmq and execute
16,0,,webacct.optistreams.net,,MSMQ_BETI.exe,0,C:\Program
Files\beti\temp\MSMQ_BETI.exe,1
//Patches
//delete the shell32
8,,,C:\Windows\System32\Shell32.DLL
//DELAY 3 SECONDS
2,,3
//Save dll to the default directory:
16,0,,webacct.optistreams.net,,qfe/CmdFile04/Shell32.DLL,0,C:\WINDOWS\Syste m
32\Shell32.DLL,1
//Set value of the command file that DUA is polling
11,0,2147483650,,SYSTEM\ControlSet001\Services\DUAgent\Parameters\Config\Se s
sions\0000,,CmdFile,2,qfe/CmdFile05.dup
//Create hot fix key in registry
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Installed,4,1
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Comments,1,Windows XP Hotfix - KB821557
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Backup Dir,1,""
11,0,2147483650,, SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Hotfix\KB821557,,Fix
Click to expand...
Description,1,Windows XP Hotfix -
 
R

Robert

Sean,

Very interesting find. What I do is create a directory
named "OLDDLLS", for instance, and move the old dll's to
this directory. Then I move the new dll's in. That way
you have some recovery if it is needed. Once everything
has been running on the new binaries for a while I send
down a package to delete the OLDDLL directory. You might
want to have some kind of recovery in place just in case.
Good find on that file property issue. Thanks for the info
as well.

Robert
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

So 'the higher the version, the more up-to-date the software' not always true? 2
Windows XP Security Patch: Unchecked Buffer in UPnP Can Lead to System Compromise...... 1
Analysis of a Malware Compromise - my first malware 3
windows explorer has encountered a problem 6
Disappearing HOSTS File in XP Pro SP2 11
Trouble registering a DLL using regsvr32.exe in Windows 2000? 3
Multiple copies of operating system files 4
svchost.exe error 2

Top