Re: Amaya Security Issue/Windows Interoperability Issues from Irene Vatton on 2004-06-03 (www-amaya@w3.org from April to June 2004)

From: Irene Vatton <irene.vatton@inrialpes.fr>
Date: Thu, 3 Jun 2004 17:40:11 +0200
To: Brant Gurganus <brantgurganus2001@cherokeescouting.org>
Cc: www-amaya@w3.org
Message-Id: <20040603174011.1c06bdf1.irene.vatton@inrialpes.fr>

> Potential security issue is at end.
> 
> I ran the latest Windows binary distribution of Amaya while it was 
> monitored by Microsoft's Application Verifier.  I did not actually do 
> anything; I just started it and exited.  It was also still clean; that 
> is, it had not been run before.  Here are issues that Microsoft's 
> Application Verifier (free) pointed out:
> 
> Amaya gets the user's profile folder without using the correct API which 
> could lead to future compatibility issues:
> Designed for Windows Logo Requirement 3.2. The application wrote 
> application or user information to an unapproved file location. Use the 
> SHGetFolderPath API to obtain the My Documents, Application Data, Local 
> Application Data, or Common Application Data directories. These 
> directories are appropriate locations for files created by an application.

This SHGetFolderPath API is not easy to use for a developper (.h file not available).
But after a lot of work and experimentation, I finally found how to get the profiles directory.

> Amaya access the Temp folder without the appropriate API:
> The application used a Windows Temp path that was not obtained using a 
> method approved by the Designed for Windows Logo Program. Use the 
> GetTempPath API to locate appropriate storage for temporary files.

I didn't work on this API yet.
It could help if you give me the name of the dll we have to load and how to find
or generate the .h file.

> The following parameters from the following function calls suffered from 
> this:
> lpFileName of GetFileAttributesA
> lpPathName of CreateDirectoryA
> lpFileName of FindFirstFileA
> lpFileName of CreateFileA
> 
> I then later ran Amaya and did more stuff and found the following 
> additional issues:
> ****************************************************************
> Security Issue:
> CreateProcess is called in printing with the following issue:
> The lpApplicationName argument is NULL, lpCommandLine has spaces, and 
> the exe name is not in quotes.

The print process is done by a dll. Does the issue concern the loading of
the print dll itself or how print accedes the printer?

> Because of a flaw in the CreateProcess API, this can cause issues with 
> filenames that have spaces and are not quoted.  Arbitrary executables 
> can be executed.  This is especially severe for Amaya since its code is 
> open source so you would know what to name the malicious executable.
> ****************************************************************

     Irene.
-----
Irène Vatton                     INRIA Rhône-Alpes
INRIA                               ZIRST
e-mail: Irene.Vatton@inria.fr       655 avenue de l'Europe
Tel.: +33 4 76 61 53 61             Montbonnot
Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex - France

Received on Thursday, 3 June 2004 11:40:38 UTC