Amaya Security Issue/Windows Interoperability Issues from Brant Gurganus on 2004-05-13 (www-amaya@w3.org from April to June 2004)

From: Brant Gurganus <brantgurganus2001@cherokeescouting.org>
Date: Wed, 12 May 2004 23:46:55 -0500
To: www-amaya@w3.org
Message-ID: <40A2FDBF.7030206@cherokeescouting.org>

Potential security issue is at end.

I ran the latest Windows binary distribution of Amaya while it was 
monitored by Microsoft's Application Verifier.  I did not actually do 
anything; I just started it and exited.  It was also still clean; that 
is, it had not been run before.  Here are issues that Microsoft's 
Application Verifier (free) pointed out:

Amaya gets the user's profile folder without using the correct API which 
could lead to future compatibility issues:
Designed for Windows Logo Requirement 3.2. The application wrote 
application or user information to an unapproved file location. Use the 
SHGetFolderPath API to obtain the My Documents, Application Data, Local 
Application Data, or Common Application Data directories. These 
directories are appropriate locations for files created by an application.

Amaya access the Temp folder without the appropriate API:
The application used a Windows Temp path that was not obtained using a 
method approved by the Designed for Windows Logo Program. Use the 
GetTempPath API to locate appropriate storage for temporary files.
The following parameters from the following function calls suffered from 
this:
lpFileName of GetFileAttributesA
lpPathName of CreateDirectoryA
lpFileName of FindFirstFileA
lpFileName of CreateFileA

I then later ran Amaya and did more stuff and found the following 
additional issues:
****************************************************************
Security Issue:
CreateProcess is called in printing with the following issue:
The lpApplicationName argument is NULL, lpCommandLine has spaces, and 
the exe name is not in quotes.

Because of a flaw in the CreateProcess API, this can cause issues with 
filenames that have spaces and are not quoted.  Arbitrary executables 
can be executed.  This is especially severe for Amaya since its code is 
open source so you would know what to name the malicious executable.
****************************************************************

Received on Thursday, 13 May 2004 00:49:35 UTC